Malicious PDF — malware analysis report

Static analysis result for SHA-256 79362e8a8526192b…

MALICIOUS

PDF

37.8 KB Created: 2020-04-06 10:29:25 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7c69f7f8d104b990b92a05f7150ae40e SHA-1: 523c0d207b046b93fae329b7b2a4fc501473cb8f SHA-256: 79362e8a8526192bf935c7ed03504304bb6b0960d00865c6ea565427c7fee642
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, many of which appear to be part of a link farm designed to manipulate search engine results or host malicious content. The document body, though heavily obfuscated, contains references to URLs that are also present in the extracted IOCs. The primary attack pattern appears to be directing users to external, potentially malicious, websites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://carlosdia.com/uploads/1/3/0/5/130588586/130588586.html#multiplus+compact+12%2F1600
    • http://zaxpinz.com/uploads/1/3/0/3/130313524/7464334.pdf
    • http://myjollipops.com/uploads/1/3/0/6/130640032/d53c6c9.pdf
    • http://aluminumstraws.com/uploads/1/3/0/6/130622106/eb1d0bd9.pdf
    • http://gracebrethren.net/uploads/1/3/0/6/130620752/bajida.pdf
    • http://bebundled.com/uploads/1/3/0/5/130589010/dbe81a.pdf
    • http://monteur-zimmer-gelsenkirchen.de/uploads/1/3/0/5/130539416/4518408.pdf
    • http://zenexbcs.com/uploads/1/3/1/3/131381976/kuduxuman_javujikigij_dubapefu_kipusev.pdf
    • http://patgerlach.com/uploads/1/3/0/4/130435641/pesufaf_lotid.pdf
    • http://music4am.com/uploads/1/3/0/8/130814430/280687.pdf
    • http://compassiongroupusa.org/uploads/1/3/0/7/130775171/7552670.pdf
    • http://wakandachamberofcommerce.com/uploads/1/3/0/7/130739910/vewelomigata-wodob-kenejebofixaro.pdf
    • http://dishinthedirtmoms.com/uploads/1/3/0/6/130622011/321ff0c8df367.pdf
    • http://coachingcreating.com/uploads/1/3/1/0/131071063/7f80b7ac6b3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000692d.bin
59331ff6922d5e8da20d5bcf86445f224faa119870a55bebd7022e6504b96033		 pdf-font-stream PDF embedded font (sfnt) at offset 0x692D 8720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.