Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b1915e6f509a70d…

MALICIOUS

PDF

36.4 KB Created: 2020-05-15 11:08:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 74bb973161977db39157506a95822a49 SHA-1: 3fa75fab0365b3359dd5ba4f434ec047c926e1ac SHA-256: 4b1915e6f509a70d0e40023301b85808d137835afd0da889a70c05edfe260dd2
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. This suggests a link farm or redirection strategy. The ClamAV detection as Pdf.Dropper.Agent-8187014-0 further supports its malicious nature. No scripts were extracted, but the sheer volume of outbound links indicates a likely intent to direct users to potentially malicious or SEO-abused content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-8187014-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8187014-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bevpro.be/uploads/1/3/0/6/130639368/130639368.html#broadsheet+newspaper+headlines
    • http://theraverdehealth.com/uploads/1/3/0/2/130288673/nurufovaxafopul.pdf
    • http://markfreedpa.org/uploads/1/3/0/8/130814715/pidimotavobim.pdf
    • http://hudsonandford.com/uploads/1/3/1/8/131871499/forefagi_senoboxusuran_mowidujifi.pdf
    • http://vdscm.net/uploads/1/3/0/5/130539287/7973419.pdf
    • http://elnuevoprogressobakery.com/uploads/1/3/0/7/130776388/6978206.pdf
    • http://ggllgny.com/uploads/1/3/0/3/130379638/35af174f7.pdf
    • http://womencreatingsuccess.com/uploads/1/3/1/3/131383842/rududadetalusexidejo.pdf
    • http://thecasinoincautobodyshoplosangeles.com/uploads/1/3/0/8/130874148/7406749.pdf
    • http://novelendings.com/uploads/1/3/0/9/130969323/6898921.pdf
    • http://balloonartist.eu/uploads/1/3/1/4/131409170/fivovavipopotobol.pdf
    • http://terrymerschat.com/uploads/1/3/0/5/130544063/tozovoxogoduvupimilo.pdf
    • http://7daysfresh.info/uploads/1/3/0/8/130874150/98f73.pdf
    • http://drlauracano.com/uploads/1/3/0/4/130476098/7a5a0fe99f2897.pdf
    • http://tn-estate.com/uploads/1/3/1/3/131383284/4071557.pdf
    • http://addicted12inc.com/uploads/1/3/0/6/130620320/5274367.pdf
    • http://kaybeebizservices.com/uploads/1/3/1/3/131378840/8870236.pdf
    • http://shayalive.com/uploads/1/3/0/2/130289397/9242130.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062fa.bin
cc4c786ca3e988b2152dc86aec67a3e8f4b5ae7003cd9860ccecf791b281ac55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62FA 10260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.