Malicious PDF — malware analysis report

Static analysis result for SHA-256 47d2159b9d08acf0…

MALICIOUS

PDF

50.3 KB Created: 2020-04-14 14:05:09 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5fadb40ee067a59bb6ac715abf260ea3 SHA-1: 898b4c049302951a7feb486ac99da0bab870a148 SHA-256: 47d2159b9d08acf0a478906c58abf4a27bfd2c193cf13cf189b331d4f01d6934
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files hosted on similar domains. This suggests a link farm or SEO poisoning tactic designed to drive traffic to potentially malicious content. The document body, though heavily obfuscated, contains text related to 'customer relationship management questions and answers', likely a lure to encourage users to click the embedded links. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://restorativespaceyogaandmassage.org/uploads/1/3/0/6/130639395/130639395.html#customer+relationship+management+questions+and+answers+pdf
    • http://qualityeyecaremi.net/uploads/1/3/1/4/131408864/7301015.pdf
    • http://angelaadamsaliphd.com/uploads/1/3/0/3/130379351/6291113.pdf
    • http://clarkbonsaicollection.com/uploads/1/3/0/6/130639504/denozol.pdf
    • http://brookelynbrown.com/uploads/1/3/1/3/131384289/zivadezasun-pojilu-tisife.pdf
    • http://supoaklandstreetfood.com/uploads/1/3/1/3/131383965/4780830.pdf
    • http://stacymurphymotivational.com/uploads/1/3/1/1/131163550/kogotevotu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009d5f.bin
612d074517b4c1fc2e005da392e0250a82f4d63b9da86b9574d6319d5ae923d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D5F 8252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.