PDF malware analysis — malicious · 4074affcc2e94727

MALICIOUS

PDF

43.5 KB Created: 2020-03-29 01:58:40 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 8d90dc5d82fc60f3cabd8a97abc09ed8 SHA-1: 201e9cb4d7939aa8070e0e172505e05ab4247166 SHA-256: 4074affcc2e9472742d2966d03e5e963ecdefbce166bb186901a3b8347d26666

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO manipulation tactic. The embedded document body text, though partially corrupted, contains a URL that is also present in the list of external links. No scripts were extracted from this sample. The primary attack pattern appears to be directing users to a large number of external resources.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://queermainehealth.org/uploads/1/3/0/7/130775355/130775355.html#515+hinton+james+drive+chapel+hill
- http://wealthbowls.com/uploads/1/3/0/5/130589070/9247579.pdf
- http://nelsonkimeofficial.com/uploads/1/3/0/4/130483981/jokurug_kididavotan.pdf
- http://ontherolljoplin.com/uploads/1/3/0/4/130489776/0d02483799845f.pdf
- http://clarksontherapy.com/uploads/1/3/0/6/130620986/fec9f5fac6.pdf
- http://seafoamsoaps.com/uploads/1/3/0/7/130739348/3068895.pdf
- http://iresearchnetwork.net/uploads/1/3/0/9/130969308/57295.pdf
- http://duckponics.net/uploads/1/3/0/6/130605254/duziv_zedalu.pdf
- http://innerkeyhypnotherapy.com/uploads/1/3/0/6/130620783/966037.pdf
- http://creativwork.net/uploads/1/3/0/6/130604423/fonek_zaguw.pdf
- http://angel-blinds.com/uploads/1/3/0/6/130621867/f453364629fd.pdf
- http://jtdlandscapes.com/uploads/1/3/0/3/130324005/6213896.pdf
- http://solutionsfocusconsulting.com/uploads/1/3/0/2/130291415/9357558.pdf
- http://minervaslab.com/uploads/1/3/0/9/130969139/fejoxixokutobepesu.pdf
- http://milestonestherapygroup.com/uploads/1/3/0/7/130775017/3d0dad913e.pdf
- http://stewarthealthresourcesolutions.com/uploads/1/3/0/2/130287988/73e84.pdf
- http://yabber.biz/uploads/1/3/0/3/130313069/fejekameweba.pdf
- http://bonfiremediastrategy.com/uploads/1/3/0/7/130776245/4005242.pdf
- http://blantonpropertypreservation.com/uploads/1/3/0/8/130874252/6383967.pdf
- http://phillipsburglutheran.com/uploads/1/3/0/6/130605216/rorodupumubabovukol.pdf
- http://64-160-90-241.pacific-solutions.com/uploads/1/3/0/2/130274282/zenusagijegipeju.pdf
- http://organicoyartesano.com/uploads/1/3/0/2/130272377/849886.pdf
- http://leroyleslie.com/uploads/1/3/0/7/130739275/sawuwe_mididarim_pedifofij.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000075f9.bin` `84880986e51eb1a6e40d1a4e8bbf2c283a54fd21369c85821c9c96ea3e4fac37`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x75F9	8500 bytes
`font_01_sfnt_off0000969b.bin` `d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x969B	2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.