Malicious PDF — malware analysis report

Static analysis result for SHA-256 404f4a1b5710b62d…

MALICIOUS

PDF

43.2 KB Created: 2020-03-30 16:02:56 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8d1cb11fddf37c97c80585941c22244e SHA-1: 094423ef583ae69ebcea7138e9f1206c6670642d SHA-256: 404f4a1b5710b62d255847e5b385c742f6414e49ff5670161ba33afd07bdea65
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to PDF files on unrelated domains. The document body text, while partially corrupted, contains the phrase 'Nombres de personajes historicos griegos' which appears to be a lure to entice users to click on the embedded links. The heuristic 'PDF_SEO_LINK_FARM' indicates a high volume of generated links, suggesting a link farm or SEO spam operation. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-76-197.mgwnet.com/uploads/1/3/1/4/131438423/131438423.html#nombres+de+personajes+historicos+griegos
    • http://virgilconsultingandmentalhealth.com/uploads/1/3/0/5/130539319/relipenosazuxow.pdf
    • http://tunedinteacher.com/uploads/1/3/0/5/130541028/lusonowelavujat.pdf
    • http://amy-jo-photography.com/uploads/1/3/0/5/130543575/5b7e9645893179.pdf
    • http://hudsonhoneyco.com/uploads/1/3/0/5/130551971/7bd71183146842.pdf
    • http://thearlyworm.com/uploads/1/3/0/6/130605393/nafewu.pdf
    • http://refugeespeaker.org/uploads/1/3/0/2/130288427/4708572.pdf
    • http://vernoncuttinghorses.com/uploads/1/3/0/7/130739892/0587473bda50.pdf
    • http://moondustmountain.com/uploads/1/3/0/3/130313468/vezaxufamo.pdf
    • http://salon-twenty5.com/uploads/1/3/0/5/130590577/6163622.pdf
    • http://katherinegmitchell.com/uploads/1/3/0/4/130436121/dobokeg_faxorap_lafukuk_zenufin.pdf
    • http://revitrenderings.com/uploads/1/3/0/5/130551226/zinapi-dovaluka-zowupasogu.pdf
    • http://belleajai.com/uploads/1/3/0/9/130969747/pufof-dosef-ferefuro.pdf
    • http://anaake.com/uploads/1/3/0/4/130492889/0eaf788e0.pdf
    • http://santafestonecutter.com/uploads/1/3/0/5/130551401/7547208.pdf
    • http://gonecoastalblog.com/uploads/1/3/0/7/130740180/5199917.pdf
    • http://empower-the-youth.org/uploads/1/3/0/2/130287488/3708dae7df48ee.pdf
    • http://bottomlessbrunchparties.com/uploads/1/3/1/0/131070362/miwutagudakil-xasuninosozi.pdf
    • http://ccrwelding.com/uploads/1/3/0/8/130874253/mavif.pdf
    • http://rui-monteiro.com/uploads/1/3/0/3/130323375/zajeso_jodam_juxiwomobedab.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d52.bin
b4150ff841760563b4530eec968fe2e50348182cb9c2e9df9fdc32ca5124fae1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D52 8988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.