Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c9eba3c61394fda…

MALICIOUS

PDF

47.1 KB Created: 2020-03-11 02:19:34 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 638bc2fa0239c529c80f62f251a3c655 SHA-1: 8e0530ecf75c7cd8d568435ff43c5b9e983b8ac9 SHA-256: 7c9eba3c61394fda0d1a19927b616dc94974f6e0052437ad3d06cdca631d2c46
62 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Gather Victim Identity Information T1204 Malicious Link

The PDF file contains a large number of external links, many of which are dynamically generated with numeric slugs and appear to be part of a link farm. The document body, though partially corrupted, contains a URL that is also present in the list of external links. This suggests the primary purpose is SEO poisoning or directing users to potentially malicious content hosted on numerous domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dedicated-17.pleasingfood.com/uploads/1/3/0/8/130813146/130813146.html#1.5+agarose+gel+ethidium+bromide
    • http://vaservicesllc.com/uploads/1/3/0/3/130379239/rovumiferinilusen.pdf
    • http://soundpole.net/uploads/1/3/0/6/130604175/minukixo.pdf
    • http://fistonich.com/uploads/1/3/0/3/130313114/fusafigeze.pdf
    • http://yellowgroup2.com/uploads/1/3/0/7/130775968/9067284.pdf
    • http://www.zakinvestments.co/uploads/1/3/0/6/130620568/f2ba59a2.pdf
    • http://hostmaster.maxscoffeeshop.co.uk/uploads/1/3/0/5/130544110/duxinuwaduw.pdf
    • http://nutritiongirl.org/uploads/1/3/0/2/130287463/xomivipi.pdf
    • http://partybikebusiness.com/uploads/1/3/0/5/130590278/11f58a.pdf
    • http://melisainc.com/uploads/1/3/0/4/130483820/1497001.pdf
    • http://nurseventurers.com/uploads/1/3/0/4/130489776/4277746.pdf
    • http://legacyparenting.today/uploads/1/3/0/4/130477234/mamilu_larap_ziwikuf_marapebepuga.pdf
    • http://mta-sts.mic18.hk/uploads/1/3/0/6/130639750/6070091.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008e49.bin
ad68f947a2c733edf5df1cd916154e761e2c524b1bb6a05a0a466b43760b2c9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E49 8820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.