Malicious PDF — malware analysis report

Static analysis result for SHA-256 5820d7c026fd61c4…

MALICIOUS

PDF

44.6 KB Created: 2020-06-08 10:20:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fffa8860d8f7640ef3f1c4ae6cc86bc5 SHA-1: 357c9622a3b545089e7eb7b05fe7ffa7a9e3b084 SHA-256: 5820d7c026fd61c4f23f4813584f713075dfcda6671debf2af5231e04c34391b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, identified as a link farm. The primary heuristic indicates an external URI pointing to a page that appears to be a lure for downloading software. The document body contains garbled text but also includes several URLs that are part of this link farm, suggesting a social engineering attempt to trick users into downloading potentially malicious files.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hostmaster.lperfectionshairandbeauty.co.uk/uploads/1/3/1/0/131070485/131070485.html#emperor+battle+for+dune+windows+10+%25D1%2581%25D0%25BA%25D0%25B0%25D1%2587%25D0%25B0%25D1%2582%25D1%258C
    • http://oliveraconst.com/uploads/1/3/0/5/130550844/kafixojavamoxitetapo.pdf
    • http://mx.kirbyskitchen.com/uploads/1/3/0/7/130775962/607378.pdf
    • http://otherworldstravel.com/uploads/1/3/0/7/130738806/880406.pdf
    • http://gloriabarajas.pink/uploads/1/3/0/5/130547659/kazoliros_daniv_punazig_popiju.pdf
    • http://74-123-77-231.mgwnet.com/uploads/1/3/1/3/131397938/8397f96b992c.pdf
    • http://111sog.com/uploads/1/3/0/6/130603808/4c26ce905.pdf
    • http://costabluisland.com/uploads/1/3/0/5/130590019/1149487.pdf
    • http://shiftxy.com/uploads/1/3/0/7/130775876/ebfd8de20.pdf
    • https://mepudaki.files.wordpress.com/2020/06/zumilu.pdf
    • https://panuvezipib.files.wordpress.com/2020/06/badagazoropupisam.pdf
    • https://pevewedawisu.files.wordpress.com/2020/06/51897450545.pdf
    • https://pifasunimipu.files.wordpress.com/2020/06/35622882563.pdf
    • https://soxazor45791046.files.wordpress.com/2020/06/14056509849.pdf
    • https://kutateb.files.wordpress.com/2020/06/45929605245.pdf
    • https://kexukasu191630412.files.wordpress.com/2020/06/rerunelava.pdf
    • https://vixupidiva.files.wordpress.com/2020/06/9273264426.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008078.bin
490585452223bd474dfd36181a5e5f80fde3177f22566a192b5b44abf32aa316		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8078 10648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.