Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c5a7240c1872e7b…

MALICIOUS

PDF

52.1 KB Created: 2020-03-29 10:29:22 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 60800557ced3ec91909836d3501882ee SHA-1: b216508d76b8924385dea610e279da63314aed03 SHA-256: 4c5a7240c1872e7bbf7ce0347664b405bab773041882baea1138f56a83cbb845
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, a technique often used for SEO spam or to distribute malicious payloads. The primary heuristic identified a 'PDF_SEO_LINK_FARM' with 30 external links, predominantly hosted on 'fremergrupo.com'. The document body, though partially corrupted, contains a reference to 'Edward b. tylor definition of culture' and the wkhtmltopdf application, suggesting a potential lure. The numerous URLs point to various domains, each hosting a PDF file, indicating a broad distribution or redirection strategy.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-75-90.mgwnet.com/uploads/1/3/0/5/130588927/130588927.html#edward+b.+tylor+definition+of+culture
    • http://fremergrupo.com/uploads/1/3/0/6/130639949/567905.pdf
    • http://discovermilaca.com/uploads/1/3/0/5/130545485/a5173.pdf
    • http://rachellepinnow.com/uploads/1/3/0/5/130551935/bolulapemivirerevi.pdf
    • http://importmod.com/uploads/1/3/0/6/130621592/pasimabe.pdf
    • http://jccustompoolsfl.com/uploads/1/3/0/6/130639055/juvija_xemujiled_duzisedizav.pdf
    • http://kazemianfoundation.com/uploads/1/3/0/5/130588842/cbc3dba.pdf
    • http://www.leavesbylyrik.com/uploads/1/3/0/8/130813400/aeda7.pdf
    • http://mountainsbythesea.com.au/uploads/1/3/0/2/130291358/lomunodaku.pdf
    • http://mjvsms.ca/uploads/1/3/0/4/130435635/6410702.pdf
    • http://tripvector.org/uploads/1/3/0/7/130775053/6877556.pdf
    • http://wesgoldsberry.com/uploads/1/3/0/2/130291492/sutamezapezuwoj.pdf
    • http://mariannstefanelli.com/uploads/1/3/0/5/130543240/237b819e2.pdf
    • http://brigidmarshall.com/uploads/1/3/0/5/130551298/ninuxel.pdf
    • http://www.chessrandomly.com/uploads/1/3/0/5/130540795/3032394.pdf
    • http://cpanel.mnmsprinkler.com/uploads/1/3/0/4/130490193/xixanivuzelozi_kukod_lipufa.pdf
    • http://www.disneyinspirations.com/uploads/1/3/0/5/130590140/9918644.pdf
    • http://adagencyvaluations.net/uploads/1/3/0/7/130775868/zojubadadon.pdf
    • http://aeverest.net/uploads/1/3/0/6/130605291/fabun_kemelibinis.pdf
    • http://maturingtowardwholeness.com/uploads/1/3/0/5/130590545/zisikogawinabuserova.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009a80.bin
149f4764285e43e6f90188b6f7bf9c85a0ce930bb2c182c7320821e428a3e595		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A80 8000 bytes
font_01_sfnt_off0000b938.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB938 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.