Malicious PDF — malware analysis report

Static analysis result for SHA-256 4179ab81c79a4b6e…

MALICIOUS

PDF

43.0 KB Created: 2020-05-21 10:18:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a90fccb6511d2eff7d40c66aab8cfa0 SHA-1: 8b13baa36bdec3ca0349c023aab5f48ef0c3274c SHA-256: 4179ab81c79a4b6e832b6d96005941257eee05656bfe6357ff8cc610efe19239
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, many of which point to other PDF files on different domains. This pattern is indicative of a link farm or a distribution mechanism for further malicious content. The presence of the 'PDF_SEO_LINK_FARM' heuristic firing strongly supports this assessment. No scripts were extracted, and the document body is heavily obfuscated, but the sheer volume of external links suggests a malicious intent to redirect users.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://elocinstudio.com/uploads/1/3/1/6/131606150/131606150.html#chromium++for+windows
    • http://shawplist.com/uploads/1/3/0/4/130436224/welozojijamunabolo.pdf
    • http://kadilynnco.com/uploads/1/3/0/7/130740323/5387568.pdf
    • http://apluspharm.net/uploads/1/3/0/6/130603747/bebdf7fa92f7.pdf
    • http://escaperoomathens.com/uploads/1/3/0/6/130639915/fupuduni.pdf
    • http://thegreenlightmovement.com/uploads/1/3/1/6/131637714/xafupejaxomava-kisexodogakafu.pdf
    • http://fmallp.com/uploads/1/3/0/5/130590716/mosutigavazil_kuvimerunabajiz_kanuwosazodid_pozoratu.pdf
    • http://libertyriot.com/uploads/1/3/0/5/130550827/ferefesifi.pdf
    • http://infinityauto.solutions/uploads/1/3/1/0/131070331/nezezotewubapodetiku.pdf
    • http://momlifeeboutique.online/uploads/1/3/1/4/131406676/mofobowu.pdf
    • http://weddingplanner.blog/uploads/1/3/1/4/131453397/givinibexuruxajula.pdf
    • http://coordinatedmovement.com/uploads/1/3/1/4/131407042/vojivatinatez-judetidiv.pdf
    • http://sincerityproperties.net/uploads/1/3/0/4/130478481/dc90a158b52c6.pdf
    • http://picsbytim.com/uploads/1/3/1/8/131857252/778e5.pdf
    • http://susanwnuk.ca/uploads/1/3/0/6/130620366/3008851.pdf
    • http://thepricklypearproducts.com/uploads/1/3/0/5/130590126/meweritojitagamed.pdf
    • http://laurivier.com/uploads/1/3/0/4/130483244/bokepiwaxiwupatuzuz.pdf
    • http://chrisandallc.com/uploads/1/3/0/3/130313786/fb5b77c6ebde85.pdf
    • http://ctxpools.com/uploads/1/3/1/3/131380399/8851097.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006769.bin
7406d177c468e7be70b45176f5997ce7449d2984fcb56f391f5803e636608081		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6769 6324 bytes
font_01_sfnt_off00007d10.bin
73fcbdbbc132d356fb2a7d8c35c143bb5acb5c16b79f8ab77f71e0aec33c255f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D10 10460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.