Malicious PDF — malware analysis report

Static analysis result for SHA-256 4683baadb02eabbe…

MALICIOUS

PDF

53.6 KB Created: 2020-03-12 01:54:08 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4a3018cc7533e662ac06ea5473c9c6de SHA-1: aa84184368570a5096324284f2dd38282023e883 SHA-256: 4683baadb02eabbecb3b676bdb9ad32eb8f93f26e8e77d2f351e55644f44f375
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a technique often used for SEO spam or to redirect users to malicious websites. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, indicating the document's primary purpose is to distribute these links. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the direct user-facing content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xtravelise.com/uploads/1/3/0/2/130291507/130291507.html#analytical+method+validation+precision
    • http://worldofyulea.com/uploads/1/3/0/7/130738896/4272568.pdf
    • http://globalifrllc.com/uploads/1/3/0/6/130605255/745947c.pdf
    • http://treatui.com/uploads/1/3/0/5/130550654/1596235.pdf
    • http://popriver.com/uploads/1/3/0/6/130640020/dapakajud-gesezewaguv-luwurepam-wugotero.pdf
    • http://www.bergeramericainmini-montsbleus.com/uploads/1/3/0/7/130739204/5349591.pdf
    • http://imaniashante.com/uploads/1/3/0/4/130488621/jomam.pdf
    • http://wptheme.club/uploads/1/3/0/2/130270866/tukuvudowa-jozutumewilefi.pdf
    • http://dynamicwisdom.com.au/uploads/1/3/0/9/130969247/kuwukabimapufu.pdf
    • http://mail.skyfieldtropical.net/uploads/1/3/0/4/130483118/8e8042657a560f.pdf
    • http://delavi.de/uploads/1/3/0/3/130323355/d000112d217e58.pdf
    • http://nevrapoint.com/uploads/1/3/0/4/130476346/depabamunowojoluwage.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000878e.bin
abda68e846bb5a72c72561cb1fefb88087314d754f668fa9df1a1da599e9bd8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x878E 9184 bytes
font_01_sfnt_off0000aa7a.bin
2e0d6281891bd9bd2719a61e260300a7d87bd62bfd1c80e29c658e39d626dd30		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA7A 2628 bytes
font_02_sfnt_off0000b3c3.bin
b080e6aa9682ff87567a230b404ab00780bafcfd3ba11e3f536b788ca6e08ef5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB3C3 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.