Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fc5905175839887…

MALICIOUS

PDF

33.5 KB Created: 2020-05-27 16:48:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 540f36c39d660fbccd881c48396455a3 SHA-1: 3d4ba73a49f8a52cd2ccf97689a780fd1efb12dc SHA-256: 4fc59051758398875c2d0756bd3daaad64b6ba480b87ebedd4882cd9b9de4309
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body text, though partially corrupted, contains a URL that appears to be a lure for downloading a game. The heuristic firings confirm the presence of a link farm and embedded URLs, indicating a social engineering attempt to drive traffic to potentially malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://my-wilcox.com/uploads/1/3/0/7/130776407/130776407.html#como+descargar+kof+2002+magic+plus
    • http://eslawrence.com/uploads/1/3/1/4/131408930/waxebujun.pdf
    • http://397.undesirable.us/uploads/1/3/0/7/130739845/wuxejomuzebu_buximeb.pdf
    • http://aubonvin.shop/uploads/1/3/0/7/130775806/jofipuk_jakidobox_verepuzegosi.pdf
    • http://thebairdproject.org/uploads/1/3/0/5/130590496/2329990.pdf
    • http://masterconcrete.ie/uploads/1/3/0/7/130739538/4ba98ed7a4.pdf
    • http://myblacksedanjetta.com/uploads/1/3/1/4/131437831/tiduroneji.pdf
    • http://emmaatman.empowerhouse.com.au/uploads/1/3/0/5/130551714/votivelinowesig_mivikemuti_nuwalosirup.pdf
    • http://wpcbgagentleonzwart.com/uploads/1/3/1/6/131606354/3063333.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005476.bin
418a11b48599fb16acc9461881c31014b6eb37ebc9d3ec583c99c010018396c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5476 12248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.