PDF malware analysis — malicious · 4fd6fb586c2036f1

MALICIOUS

PDF

49.1 KB Created: 2020-03-07 17:21:48 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 8e234a345640ee0c111747ada68fb047 SHA-1: f8d76b1429cb849d84df897a333961d5f9c6153f SHA-256: 4fd6fb586c2036f1b4811be0111c64928cdf4ada0cedaa54de945c4c43719273

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though heavily obfuscated, contains a reference to 'Zero budget natural farming books online' and includes the URL http://o0ype.bpmtc.com/uploads/1/3/0/6/130620572/130620572.html#zero+budget+natural+farming+books+online. The primary purpose appears to be directing users to a vast network of linked PDF files hosted on various domains, likely for SEO spam or to distribute further malicious content.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://o0ype.bpmtc.com/uploads/1/3/0/6/130620572/130620572.html#zero+budget+natural+farming+books+online
- http://energymanagementplus.com/uploads/1/3/0/2/130272506/zuwewagat.pdf
- http://depatos.shop/uploads/1/3/0/4/130488338/wotibedakirijo-waropobojasi-zinefi.pdf
- http://storesketch.com/uploads/1/3/0/5/130590435/763618.pdf
- http://melfelk.com/uploads/1/3/0/6/130620679/bugolow.pdf
- http://scope-for-growth.com/uploads/1/3/0/6/130620278/39cc27c470b569.pdf
- http://javari.net/uploads/1/3/0/6/130604934/6207064.pdf
- http://christianfuneraldirectors.com/uploads/1/3/0/5/130589444/98807.pdf
- http://www.buffalo3studios.com/uploads/1/3/0/4/130476581/wonusodojeziwam-jifaten-budivuxese.pdf
- http://www.vdotink.com/uploads/1/3/0/6/130604505/fomibixetet.pdf
- http://fitlovela.com/uploads/1/3/0/7/130739578/99ff3c.pdf
- http://fishpunk.co.nz/uploads/1/3/0/7/130739175/9970080.pdf
- http://kuniusedcars.com/uploads/1/3/0/4/130483733/zijimubolu.pdf
- http://www.esubtraininghub.com/uploads/1/3/0/8/130874198/7670286e5.pdf
- http://nwcg.yourgin.com/uploads/1/3/0/7/130738644/zugatomudo.pdf
- http://livingonthelearningcurve.com/uploads/1/3/0/4/130483184/6019931.pdf
- http://mail.zakisaati.com/uploads/1/3/0/6/130640232/317163.pdf
- http://earsurgerycenter.com/uploads/1/3/0/8/130874559/dde6c4c2.pdf
- http://www.fiddleheadgardenservices.com/uploads/1/3/0/8/130874122/7718351.pdf
- http://pssdforum.com/uploads/1/3/0/6/130604227/pegifeval_gadiselofom_jetobi_kepumomubuj.pdf
- http://kokopellikikosandpackgoats.com/uploads/1/3/0/6/130620839/4820287.pdf
- http://myamericandreampools.com/uploads/1/3/0/6/130639310/gifavimirituwen.pdf
- http://kamijoon.com/uploads/1/3/0/7/130739470/xoraj_tufowusa_bisovij.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007c16.bin` `f1e7200179f137d3e496e81d3561b1068ec86b6cff04b9be6cd0b172f5968253`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7C16	8192 bytes
`font_01_sfnt_off00009bc3.bin` `77bdc59f21ab92d0c77343ed8c52d78796a35fece3398f7cbfdcda28fccc7740`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9BC3	9464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.