Malicious PDF — malware analysis report

Static analysis result for SHA-256 3838a5882b7bc464…

MALICIOUS

PDF

36.7 KB Created: 2020-06-10 06:44:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 49bfd55b17894d401987755e67f2d065 SHA-1: b01f24a67680b036485f406270f22f8d0df85cf4 SHA-256: 3838a5882b7bc464bed104f038192cfb81e6dd4090ff74fc56ec984703c9c14d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or a distribution mechanism for further malicious content. The document body contains garbled text but also includes some of the URLs, reinforcing the link-based attack pattern. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://host43.carmichaelnl.com/uploads/1/3/0/7/130740013/130740013.html#wows+gro%25C3%259Fer+kurf%25C3%25BCrst+guide
    • http://cpcontacts.littlecreekfarmllc.com/uploads/1/3/0/3/130313127/185321.pdf
    • http://drhamby.com/uploads/1/3/0/7/130738792/791206.pdf
    • http://gofunavi.com/uploads/1/3/1/8/131856394/3343694.pdf
    • http://74-123-75-200.mgwnet.com/uploads/1/3/0/2/130272573/fb2bcb.pdf
    • http://catalystpsychotherapy.com/uploads/1/3/0/4/130478057/fabikasepevu_vexizoj_fovudiguk.pdf
    • http://server65294.misscarols.com/uploads/1/3/1/3/131381150/kagipujoxesipa.pdf
    • http://sunnyvalespikers.com/uploads/1/3/0/5/130551338/narepiki_foxasojekokabe_fufosokofo.pdf
    • http://webdisk.bestoftimeswatch.com/uploads/1/3/1/8/131857846/4859567.pdf
    • https://kifukixu.files.wordpress.com/2020/06/71846099665.pdf
    • https://dotuwapifufe.files.wordpress.com/2020/06/51635053152.pdf
    • https://mevapojoro.files.wordpress.com/2020/06/lodufukitow.pdf
    • https://fegudixifu.files.wordpress.com/2020/06/tuzojixigiwodofatiz.pdf
    • https://pugekom.files.wordpress.com/2020/06/zizuvadimi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006126.bin
eb5a3bd77125e26bcfeca2cd0046395a0cca33455fcca38213891636a58a02d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6126 10992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.