Malicious PDF — malware analysis report

Static analysis result for SHA-256 356f4fda20d836e0…

MALICIOUS

PDF

47.4 KB Created: 2020-03-23 12:31:08 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 41680222c211f6e8811401b0bc395ce3 SHA-1: 1c2d437d9d4e6f2605e34223bed2a090b01931e8 SHA-256: 356f4fda20d836e02b490b0cf9fa0b90c9e6820ec0a3550830a11769af92840f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many pointing to similarly structured URLs on different domains, indicating a link farm or SEO abuse tactic. The document body text, though partially garbled, includes a URL that appears to be a lure for downloading music. The primary heuristic indicates a 'PDF_SEO_LINK_FARM' with 30 external links, suggesting a malicious intent to distribute links to potentially harmful content or phishing sites. The embedded URLs are likely part of this distribution mechanism.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mazasociados.com/uploads/1/3/0/5/130541904/130541904.html#descargar+m%C3%BAsica+cristiana+gratis+y+f%C3%A1cil
    • http://ministryofmissingsocks.com/uploads/1/3/0/5/130540266/duwapowofop-kojilefupetukad.pdf
    • http://mightyjunior.com/uploads/1/3/0/5/130589050/6357416.pdf
    • http://mail.detroitlakesucc.org/uploads/1/3/0/6/130620382/7eb18c.pdf
    • http://onecourageousbreath.com/uploads/1/3/0/8/130874307/jobokabazalijakote.pdf
    • http://staceyjanedouglas.com/uploads/1/3/0/5/130541846/a2a10f1d3.pdf
    • http://frecklefaceboutiques.com/uploads/1/3/0/6/130621496/0a61282b9.pdf
    • http://everydaycontemplative.ca/uploads/1/3/0/2/130288453/fofalexox-tebotito-gidoraki-buvowepuwa.pdf
    • http://www.iroquoiscountyscholarshipgolfouting.com/uploads/1/3/0/3/130313336/sosevafunoje_sonodaxu.pdf
    • http://9f60fpk003.com/uploads/1/3/0/2/130272282/jafaxomakenibudere.pdf
    • http://www.madelinecsmith.com/uploads/1/3/0/7/130740316/5055218.pdf
    • http://mondesubtil.com/uploads/1/3/0/5/130544635/2517349.pdf
    • http://crimenotebook.com/uploads/1/3/0/6/130621210/pezutu.pdf
    • http://trustcld.net/uploads/1/3/1/1/131164537/7930146.pdf
    • http://firstpresgf.org/uploads/1/3/0/6/130605048/wanupigegirivef.pdf
    • http://10thkind.com/uploads/1/3/0/6/130604872/ea0d8ac6.pdf
    • http://hostmaster.betwell.co.uk/uploads/1/3/1/0/131070356/2240466.pdf
    • http://clearvisionshop.us/uploads/1/3/0/5/130541462/cd1e687b359.pdf
    • http://goholisticatl.com/uploads/1/3/0/6/130621013/fitanomoje.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000076cb.bin
a70a789f564765d2e32e13b1c7f14584c493b4345dc669714e7c80fa1f61b228		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76CB 9468 bytes
font_01_sfnt_off000098d0.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98D0 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.