Malicious PDF — malware analysis report

Static analysis result for SHA-256 35e7ceebcabf8aa9…

MALICIOUS

PDF

38.8 KB Created: 2020-03-10 04:41:27 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 71f7608ba99a06e527d225f4b760fe9b SHA-1: 95a16aaf691e96bad453d90d292c4e017f590c1a SHA-256: 35e7ceebcabf8aa91cfae1124ccd6383d8f2af16205198c8eb7711aeab560b7d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though partially corrupted, contains text referencing 'Brave new world chapter 4 5 6 summary' and includes a primary URL that also references this content. This suggests a lure to a content-rich page, which in turn links to a farm of other PDF documents. The primary purpose appears to be driving traffic to these linked resources, potentially for SEO manipulation or to distribute further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-72-180.mgwnet.com/uploads/1/3/0/7/130739860/130739860.html#brave+new+world+chapter+4+5+6+summary
    • http://beescupcakebites.com/uploads/1/3/0/6/130603966/515b155.pdf
    • http://qiiradesignno.com/uploads/1/3/0/7/130776718/bovuru.pdf
    • http://www.born2swim.org/uploads/1/3/0/7/130776405/tapebiwiparal.pdf
    • http://staceyclarkdllportfolio.com/uploads/1/3/0/3/130313436/liluxoredav.pdf
    • http://larazgourmet.com/uploads/1/3/0/5/130539818/funoxonegupel.pdf
    • http://mysteriesnghostsefiction.com/uploads/1/3/0/2/130289399/9a586f7e64221f7.pdf
    • http://catchnrelease.org/uploads/1/3/0/7/130739165/79f9f0ef8e84cb.pdf
    • http://independentrealty1.net/uploads/1/3/0/8/130873984/4514778.pdf
    • http://webuyhousesingta.com/uploads/1/3/1/0/131070845/3439017.pdf
    • http://wellfleetpirate.com/uploads/1/3/0/5/130588702/jozon-tuminikirubivud-ruwam-funap.pdf
    • http://shupacups.com/uploads/1/3/0/2/130288483/ae2994d54.pdf
    • http://threadsolelife.com/uploads/1/3/0/4/130435679/8a8559701a03.pdf
    • http://www.alwaysbestronger.com/uploads/1/3/0/7/130739251/sosimatagefipa-sunixilajog-wujogefatosaja.pdf
    • http://www.gregneville.net/uploads/1/3/0/9/130969475/9c02f.pdf
    • http://mail.renoraces.com/uploads/1/3/0/6/130620646/cc2365.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070b9.bin
0f29e297ee2037212b9e9d584e4f69d855d035b88f38198c6fe550519b24d842		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70B9 7516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.