Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e11f77ba4785451…

MALICIOUS

PDF

43.9 KB Created: 2020-03-10 04:07:56 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 58e6ec62da342c0e1e3a3da49e737c59 SHA-1: ab6f6e60511a0738d74a78b7520ff84bf96a2238 SHA-256: 7e11f77ba47854511cea6678c30d75a67af56c85a20600c31fdfcd7f02fff621
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a common technique for SEO poisoning and driving traffic to malicious sites. The document body, though partially corrupted, contains text related to 'Axis bank fd rates 2018 for senior citizens', suggesting a lure to attract users interested in financial information. The embedded links point to various domains, likely part of a link farm designed to improve search engine rankings for the malicious content hosted on these sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cloverlegacy.com/uploads/1/3/0/5/130550683/130550683.html#axis+bank+fd+rates+2018+for+senior+citizens
    • http://handbagcentral.com.au/uploads/1/3/0/6/130604312/tisinutanalepis-vuzukeborekisak-loroxobuf.pdf
    • http://celsosim.com/uploads/1/3/0/6/130621446/97f047d0a9f775b.pdf
    • http://barnetbowlsclub.com/uploads/1/3/1/0/131070805/1320869.pdf
    • http://mcaloonegroup.com/uploads/1/3/0/4/130476144/dugumisuvonadifavef.pdf
    • http://www.matthewallenmusic.com/uploads/1/3/0/2/130289636/4f8b4e53631.pdf
    • http://eugeneioannou.com/uploads/1/3/0/7/130775972/512136.pdf
    • http://malachany.net/uploads/1/3/0/4/130483393/3259235.pdf
    • http://polychromatiks.com/uploads/1/3/0/7/130776149/zegazisiba_vuteme_pojuneviwaxel.pdf
    • http://kosmetik.space/uploads/1/3/0/7/130776088/logekukuduva.pdf
    • http://palmettopreswic.org/uploads/1/3/0/5/130590361/2198392.pdf
    • http://jakebrenneise.org/uploads/1/3/0/6/130603855/daf9ef71360ba00.pdf
    • http://metrix-psy.com/uploads/1/3/0/7/130740092/tejokow-lifaweluwip-satukeraxo.pdf
    • http://www.mrb2btechwriter.com/uploads/1/3/0/5/130543063/5872747.pdf
    • http://2and3.org/uploads/1/3/0/8/130874076/tigugumeteg-zawagijejesu-zanemelolize-xokolupiwatek.pdf
    • http://kbkornhole.com/uploads/1/3/0/2/130272569/balozuti.pdf
    • http://desireezantolas.com/uploads/1/3/0/9/130969566/c4d0b9.pdf
    • http://mail.eastwoodvillage.com/uploads/1/3/0/7/130775142/tulixusegojepekini.pdf
    • http://www.lupinefilms999.com/uploads/1/3/0/7/130776609/efda3fd6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083f0.bin
37fbd1ebbf50a447bed7914443827a0d56912923bf96414f93129f10a19b58b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83F0 7820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.