Malicious PDF — malware analysis report

Static analysis result for SHA-256 78ab02f3f2a035b8…

MALICIOUS

PDF

37.8 KB Created: 2020-04-20 08:55:53 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 707fa6f06b3447de9bc6b9ee0e404f6c SHA-1: 808349ed87f82f4e42a9a85c2b67e3aeb264c126 SHA-256: 78ab02f3f2a035b8e89cb240edfa889c0b5ab6b431e7bd6901574f91b85f9206
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to similarly structured URLs on different domains. The document body mentions 'Chess titans full setup', suggesting a lure to download a game. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, likely for SEO manipulation or to host malicious content. The primary IOC is the first external URL found, which appears to be part of this link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://projectssimplifiedgr.com/uploads/1/3/0/2/130291585/130291585.html#chess+titans+full+setup
    • http://marshashouseofhope.net/uploads/1/3/0/6/130640225/1035295.pdf
    • http://realty33nj.com/uploads/1/3/0/7/130740092/wawag_kozurogilaxopiz_mizajof_jemoxosejurova.pdf
    • http://ofisyvarendy.ru/uploads/1/3/1/0/131070799/dodub.pdf
    • http://guardianengraving.com/uploads/1/3/0/3/130379204/debemafi-zutomibu-zatofavapanu-pifakuva.pdf
    • http://laserartistryfasa.net/uploads/1/3/0/8/130873850/mubaf.pdf
    • http://riskyaccessory.com/uploads/1/3/0/4/130435755/dujijatezupigog_musosimaj_wepakexopinirif_kijinimumiv.pdf
    • http://usa-smoking-supply.com/uploads/1/3/0/7/130738996/purote.pdf
    • http://brideandco.hu/uploads/1/3/0/5/130590257/24ecb.pdf
    • http://bartell-morrison.com/uploads/1/3/0/9/130969971/3ba390d4e.pdf
    • http://south40solar.com/uploads/1/3/1/0/131071180/354003.pdf
    • http://modernmeditationpgh.com/uploads/1/3/0/5/130538994/aed6319e82.pdf
    • http://thswebpages.org/uploads/1/3/0/2/130291689/ledogalegivogi.pdf
    • http://maydaypress.net/uploads/1/3/0/4/130436068/suvekewowariwevezoji.pdf
    • http://thswebpages.org/uploads/1/3/0/2/130291689/ledogalegivogi.p
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bed.bin
3f0cec230f04b741b8e27fbf4f7276011a84997cf05029a58a93dd1c00a4be62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BED 8252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.