Malicious PDF — malware analysis report

Static analysis result for SHA-256 55bc1ebd39ef69b5…

MALICIOUS

PDF

40.3 KB Created: 2020-06-10 08:42:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b7961c0c8eb94e04d0cec36481f9a70 SHA-1: 9fd885f8a4475e8c176a7ed46805649cafffd5a4 SHA-256: 55bc1ebd39ef69b56b19bb3a32e61544b1162ca0b9817f89e0a3aeb19937c240
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though heavily obfuscated, contains references to URLs that are also present in the extracted URL list. This suggests a link farm or SEO manipulation tactic, potentially leading to malicious content or phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theaddcouple.com/uploads/1/3/1/4/131453871/131453871.html#craigslist+las+cruces+nm+auto+parts
    • http://louisianaudc.org/uploads/1/3/0/6/130639076/guzetuko.pdf
    • http://mta-sts.mail.cvma32-2.com/uploads/1/3/0/6/130639802/6072731.pdf
    • http://fit4-women.net/uploads/1/3/0/6/130622005/a3a3a678a.pdf
    • http://evreething.net/uploads/1/3/0/6/130620737/deb707d.pdf
    • http://engageyourmagic.com/uploads/1/3/0/2/130288316/f79759a5cab7.pdf
    • http://ag.jf1788.com/uploads/1/3/1/8/131871531/rumifelevogebado.pdf
    • http://2zm.undesirable.us/uploads/1/3/0/5/130550910/6938965.pdf
    • http://broadsword.com.au/uploads/1/3/0/4/130483542/7282143.pdf
    • http://2fo.undesirable.us/uploads/1/3/0/5/130588547/4616148.pdf
    • http://kariongphysiotherapy.com/uploads/1/3/0/5/130588923/2825192.pdf
    • http://byjctiw.sites.looka.com/uploads/1/3/0/6/130604027/jitosoziwumiga_mukuge.pdf
    • https://rufofuvokije.files.wordpress.com/2020/06/jilukuz.pdf
    • https://vupedobe.files.wordpress.com/2020/06/40457118324.pdf
    • https://fivulenis.files.wordpress.com/2020/06/zozosoxugufavije.pdf
    • https://vijugogazoxo.files.wordpress.com/2020/06/lazeretifilobikuf.pdf
    • https://disosilawube351438687.files.wordpress.com/2020/06/kegob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000724c.bin
aa6bc40991da1c34ae695cee13aab03949978e79bbb519513d0505dbb7979c10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x724C 10176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.