Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a5b2d6eee636bc1…

MALICIOUS

PDF

36.8 KB Created: 2020-04-16 09:23:12 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3a6d1c6fa06140177bbed134c2c872ff SHA-1: 7aeb4bf230e9147fdf90a50bc1b3ebda11044305 SHA-256: 7a5b2d6eee636bc10d27c1c8ae648babc46819360d7c066fd19343df262fdcce
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of SEO-optimized links pointing to other PDF files hosted on various domains. The document body mentions 'Lightest pdf reader android', suggesting a lure to trick users into downloading or interacting with malicious content. The primary heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a link farm for SEO purposes, likely to distribute malware or phishing content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mrrainbowtoy.com/uploads/1/3/0/5/130588246/130588246.html#lightest+pdf+reader+android
    • http://boeing737sim.se/uploads/1/3/0/5/130539354/ad5fad12.pdf
    • http://rzlifecoach.com/uploads/1/3/1/3/131380850/2784886.pdf
    • http://sophsdiys.com/uploads/1/3/0/2/130272474/3046699.pdf
    • http://autodiscover.elkeycouture.nl/uploads/1/3/0/5/130544702/1339835.pdf
    • http://campusemployment.online/uploads/1/3/0/6/130639676/sifiwopuza.pdf
    • http://elizabethlyonsauthor.com/uploads/1/3/0/9/130969763/jozefasanusej_difojil_zexufe.pdf
    • http://thehighlysweetproject.org/uploads/1/3/0/5/130589146/1bf7983ccc72.pdf
    • http://jolenesphotography.com/uploads/1/3/0/5/130543368/da68cb5983474.pdf
    • http://j2ktechnologies.com/uploads/1/3/1/4/131438729/dizoxaramosun.pdf
    • http://unityherbalproducts.com/uploads/1/3/0/3/130313643/7a5290a053d81.pdf
    • http://autodiscove
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067d4.bin
5d6076862a6234d5ce7588c8c0042a4c355dd852a94303c374f5c10f2a3e4bb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67D4 8168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.