Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b240e1508afc7db…

MALICIOUS

PDF

28.2 KB Created: 2020-06-20 20:03:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3cd598ac574a1fae2f58be3fb303cdfd SHA-1: c781a192c29486ed15c011f320eb5b92dfa069ab SHA-256: 7b240e1508afc7db3ea77aa00e2ebf5bb714b8d9a8a575f1ac1f0329866c929d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body, though heavily obfuscated, contains references to 'Biologia villego pdf' and several URLs, reinforcing the link farm attack pattern. No scripts were extracted, limiting the analysis of direct malicious actions.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://clarksvilletlc.net/uploads/1/3/0/7/130775838/130775838.html#biologia+villego+pdf
    • http://remmarbud.eniroweb.pl/uploads/1/3/1/3/131381036/wivefugufud-fobobaz.pdf
    • http://staygr8.com/uploads/1/3/1/4/131483255/4425201.pdf
    • http://kirathomasportfolio.com/uploads/1/3/0/3/130313122/taguboviz.pdf
    • http://lexandwillsafrica.com/uploads/1/3/0/8/130813558/xaravik_wimagijute_wurilorifoka.pdf
    • http://fursurepetshop.com/uploads/1/3/0/7/130739754/8084757e180c371.pdf
    • http://jennifermadden.net/uploads/1/3/1/4/131410399/82eec4e6ae.pdf
    • http://huntsvilletexasattorney.com/uploads/1/3/1/3/131380078/rovapanuxufogerusi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000393d.bin
894bcb236ba154bbd61925ff5f23fc4e750d39a480b3bac156e7a79e7c6c6127		 pdf-font-stream PDF embedded font (sfnt) at offset 0x393D 4644 bytes
font_01_sfnt_off00004913.bin
cab87e3d9814b07ee328cf95eeae7a0511abd95b98da2029a276e5e46ec65668		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4913 8100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.