Malicious PDF — malware analysis report

Static analysis result for SHA-256 42f590d4e3097060…

MALICIOUS

PDF

38.2 KB Created: 2020-03-25 05:38:10 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4cd2f7a8f1f0728cab80e7c338616e5f SHA-1: 854eb24da2866ece0c8cfc4c5e75f13796c139ac SHA-256: 42f590d4e3097060b454f619898cc2d4ba74e143a839ce32bd2cfa12d5da9c52
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. No scripts were extracted, and the document body is largely unreadable, making it difficult to determine the exact payload or intent beyond the link farm. The primary attack pattern observed is the mass distribution of external links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://horsetrailerbp.com/uploads/1/3/0/6/130639183/130639183.html#best+enchantment+room+in+minecraft
    • http://caebp.org/uploads/1/3/0/7/130776406/vidafelakejerana.pdf
    • http://salonsuccess.co/uploads/1/3/0/4/130436298/moludizenajefirabuva.pdf
    • http://ips9presentation.com/uploads/1/3/0/5/130551661/18be56efe26.pdf
    • http://soscharityservices.com/uploads/1/3/0/6/130604136/4911449.pdf
    • http://customshirtsnq.net/uploads/1/3/0/3/130323219/7285467.pdf
    • http://heartstrings.shop/uploads/1/3/0/7/130776735/4972152.pdf
    • http://funmoney4us.com/uploads/1/3/0/6/130621814/272bb4db40.pdf
    • http://sub.thequiltingjeanne.com/uploads/1/3/0/5/130588443/4870063.pdf
    • http://tamaraomondi.com/uploads/1/3/0/7/130775102/1043498.pdf
    • http://turningpointwellnesscenter.com/uploads/1/3/0/7/130776113/1c5f17134.pdf
    • http://procorebuild.com/uploads/1/3/0/7/130776760/6f502cb7.pdf
    • http://ddlgverse.com/uploads/1/3/0/5/130544385/3e6cc.pdf
    • http://scrubbinhomes.com/uploads/1/3/0/6/130604069/b1bef9e14f.pdf
    • http://jayrosetravels.com/uploads/1/3/0/5/130543053/315452.pdf
    • http://comedyshowcasedurango.com/uploads/1/3/0/7/130776055/wobugefaxobobesa.pdf
    • http://nanlaird.com/uploads/1/3/0/5/130551962/zarikejopu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cd7.bin
b927c5524a090c5148d3b5ce021fb37177685483a23b836789d6f018e233b410		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CD7 7904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.