Malicious PDF — malware analysis report

Static analysis result for SHA-256 3cb3b5ce5c84a465…

MALICIOUS

PDF

136.8 KB Created: 2020-03-25 09:02:37 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3d46511cd9be7fb9cb4dfcb7a283b121 SHA-1: 8be94d178816e4e7db5693ef17fa3d8a1585e715 SHA-256: 3cb3b5ce5c84a4655f0481eed93ee867328ed290c7126d42abc654c3e71dbba1
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to PDF files hosted on various domains, indicating a link farm or SEO spamming operation. The primary URL, http://preschoolkaty.com/uploads/1/3/0/4/130476804/130476804.html#matematicas+avanzadas+para+ingenieria+dennis+zill+solucionario, suggests a lure related to academic materials. This pattern is often used to distribute malware or redirect users to phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://preschoolkaty.com/uploads/1/3/0/4/130476804/130476804.html#matematicas+avanzadas+para+ingenieria+dennis+zill+solucionario
    • http://theprepaidxperts.net/uploads/1/3/0/6/130620843/xudelug.pdf
    • http://livelongyoga.com/uploads/1/3/0/8/130813906/vuwojonukajun.pdf
    • http://www.valgbbo.com/uploads/1/3/0/5/130539691/e415e5ec95829.pdf
    • http://www.alexandriasdreambirdtoys.com/uploads/1/3/0/6/130621781/4951385.pdf
    • http://studio-search.com/uploads/1/3/0/8/130813667/kanowafavulix_xeguzugutifu_vetaza.pdf
    • http://twoofelke.be/uploads/1/3/0/7/130776411/jerilim.pdf
    • http://fidma.net/uploads/1/3/0/7/130776055/7574251.pdf
    • http://stlshedz.com/uploads/1/3/0/8/130874252/wofomoxusevevu_zutog.pdf
    • http://www.mymissblue.com/uploads/1/3/0/7/130740561/7280998.pdf
    • http://timelessfinds.net/uploads/1/3/1/1/131164573/tisomo.pdf
    • http://xfdainspector.com/uploads/1/3/0/4/130488382/sejejoxumere.pdf
    • http://elitecommercialinsta.com/uploads/1/3/0/4/130435500/kutadatobo.pdf
    • http://tbxexpress.com/uploads/1/3/0/2/130289729/tiwafitafadibe-wojetuvimozi-jabozepumuku.pdf
    • http://myjohnsongroup.com/uploads/1/3/0/5/130538987/sumiwoxawolar.pdf
    • http://lonelydoggallery.com/uploads/1/3/0/7/130740441/2818934.pdf
    • http://thirteenmedia.net/uploads/1/3/0/7/130740255/rifavurexuliwa-lusamoma.pdf
    • http://streetwerkzcustoms.com/uploads/1/3/0/3/130379094/jipuw.pdf
    • http://journeyemovies.com/uploads/1/3/0/7/130775751/c177dbb4.pdf
    • http://ilonggo.net/uploads/1/3/0/6/130639842/walomonogivaxosufuvu.pdf
    • http://sirsandboys.net/uploads/1/3/0/5/130550998/bawifur_zosejusami_gigulanu_xegivu.pdf
    • http://ministrohispanoenlasvegas.com/uploads/1/3/0/6/130620391/1672117.pdf
    • http://insideoutwellnessgm.com/uploads/1/3/0/6/130605471/vaporunumugupus-liguzoganuvex-zuxofid-pokefom.pdf
    • http://bookheretravel.com/uploads/1/3/0/3/130323302/zalimubow-vozaloxowiroxu-tabifoli-gomad.pdf
    • http://wazurihairsalon.net/uploads/1/3/0/3/130379137/65146c5e.pdf
    • http://silverspurcamp.com/uploads/1/3/0/7/130776449/2219b5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001aa62.bin
c8a2bc3b5822df5aaac0122ff1b80ee6790d954acf49ccbbe26627920f0999e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AA62 9864 bytes
font_01_sfnt_off0001bd97.bin
fb1e9dab24403a51b1e8d4a14a97a4ef14e571359cdc2b3a8c568cd4b8e3dbeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BD97 10244 bytes
font_02_sfnt_off0001e23d.bin
2f40d8e80d8c38d87cd260c9fe8d64eb510e497836eaef680da166a7e256411c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E23D 1240 bytes
font_03_sfnt_off0001e948.bin
cf6a5b503253807265d7d96e91d7723956520da0fdeca962deef73777ee38a19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E948 5660 bytes
font_04_sfnt_off0001fbeb.bin
2f371e5b966cb7c3cb2c2ab199b5fd1d81734ca7b62bb63d3004d9f75edc3b70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FBEB 16360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.