Malicious PDF — malware analysis report

Static analysis result for SHA-256 794da3dbca800679…

MALICIOUS

PDF

48.0 KB Created: 2020-06-03 22:13:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 65a65a47fc5aaa80e2ee97f50696b27a SHA-1: 8cf9f4c871815a05a922e2082a2e4227d1a3b3e4 SHA-256: 794da3dbca800679c2b4a27fcc8d8ae790fe6bba55d82bc85c3e0bacf939defc
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, with a heuristic identifying it as a 'PDF_SEO_LINK_FARM'. The primary purpose appears to be directing users to various external PDF documents hosted on different domains. The document body is heavily obfuscated, making it difficult to determine a specific user-facing lure. The presence of numerous external links suggests a campaign focused on traffic redirection or hosting malicious content on linked pages.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://6wd.brdge.org/uploads/1/3/1/4/131438486/131438486.html#define+communicative+constitution+of
    • http://thearlyworm.com/uploads/1/3/0/6/130621995/683446.pdf
    • http://campbelltownfc.org/uploads/1/3/0/7/130738525/toxegagawama.pdf
    • http://jorax-beveiliging.nl/uploads/1/3/0/4/130476313/vurixamoraruj.pdf
    • http://6wd.brdge.org/uploads/1/3/1/4/131438486/terms.html
    • http://6wd.brdge.org/uploads/1/3/1/4/131438486/dmca.html
    • http://6wd.brdge.org/uploads/1/3/1/4/131438486/policy.html
    • https://wujemirezop.files.wordpress.com/2020/06/38635840853.pdf
    • https://nupukoxugezo.files.wordpress.com/2020/06/31024944934.pdf
    • https://volagazep.files.wordpress.com/2020/06/11464444104.pdf
    • https://gikubom874419191.files.wordpress.com/2020/06/4674140866.pdf
    • https://mapinazoten.files.wordpress.com/2020/06/1915401888.pdf
    • https://xugipoxuwigo.files.wordpress.com/2020/06/rifijalosejubujoxif.pdf
    • https://zawimig643626223.files.wordpress.com/2020/06/36577407552.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008ed0.bin
b464f9b4d972dd6d454a6e4b66645e0a5cecef5e4f91d42b7b8107b3a756da84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8ED0 11036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.