Malicious PDF — malware analysis report

Static analysis result for SHA-256 3bc5906691952b89…

MALICIOUS

PDF

39.0 KB Created: 2020-04-01 17:53:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 53d0a9d8068f416f85e83f1bde2e4b95 SHA-1: f4d6a8f30c576d772d946e2387c2a214206f7c3a SHA-256: 3bc5906691952b89a3869e243b1e822df418a69d86b63d89bd2841b042c91fd8
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a distribution point for further malicious content. The document body itself is heavily obfuscated but contains some of the same URLs. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bahamasaugustllc.com/uploads/1/3/0/5/130590521/130590521.html#university+of+arizona+art+history+department
    • http://nndc-india-foundation.com/uploads/1/3/0/7/130739791/75224f13986693.pdf
    • http://whitneysphotos.com/uploads/1/3/0/7/130739234/c35cc96665a3a06.pdf
    • http://themayagroup.net/uploads/1/3/0/7/130738778/de6fadf3.pdf
    • http://theridesharedrivershop.com/uploads/1/3/0/5/130543099/gikurofosufiwuk.pdf
    • http://biosa-az.com/uploads/1/3/1/1/131164128/f39d97191445c.pdf
    • http://faceinjectables.ca/uploads/1/3/0/9/130969888/nemigixajon_vozowejekes.pdf
    • http://teasonline.com/uploads/1/3/1/3/131384600/dobuzozujuv.pdf
    • http://azaztrans.com/uploads/1/3/0/6/130621279/woseresutevaxu.pdf
    • http://bluffgreathouse.org/uploads/1/3/1/3/131379134/787734.pdf
    • http://dawggroomers.com/uploads/1/3/0/7/130775639/a6d651.pdf
    • http://164-52-234-197.h2rcpa.com/uploads/1/3/0/6/130603983/werugotolojefi-furedif-bagilalox.pdf
    • http://winkingdogproductions.com/uploads/1/3/0/4/130491444/tamosekanapos.pdf
    • http://kleimierke.be/uploads/1/3/0/2/130287867/sukuja.pdf
    • http://magictouchpartyandevents.com/uploads/1/3/0/6/130604581/lumukap.pdf
    • http://secureonlinepaypaypal.com/uploads/1/3/0/5/130539820/punuranetogek.pdf
    • http://ericrobertmartinez.com/uploads/1/3/0/8/130814508/nutudu_nejuzavobe_xojawu_rukonijujit.pdf
    • http://massagebiarritz.fr/uploads/1/3/0/6/130639678/1bdf1bd1f18cc5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ce7.bin
068788142eb5c0461a6ee3b80b26e86ec679ffc9e1f5e0fcd345c8fe45cf5a31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CE7 8208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.