Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e5f2d1b3bae6357…

MALICIOUS

PDF

44.4 KB Created: 2020-03-17 08:24:56 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7232720ac0cdb97500b1abc5b2d55140 SHA-1: c0d5ba772e98baaa03833e3b4bf9ba4d9c72ce84 SHA-256: 7e5f2d1b3bae635730d7fb165609beeef173414bb7fbe666e2d7ad78e1b740a0
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as a dropper by ClamAV. Static analysis revealed a significant number of external links, characteristic of a link farm. These links likely serve to distribute further malicious content or manipulate search engine results. The document body contains garbled text and embedded URLs, reinforcing the link farm and dropper functionalities.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-8019252-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8019252-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thedogbedcompany.net/uploads/1/3/0/7/130738799/130738799.html#best+career+for+entp+reddit
    • http://techtronicmobile.com/uploads/1/3/0/4/130476429/dac9b.pdf
    • http://chocny.com/uploads/1/3/0/5/130551249/sesufamuxozudoxez.pdf
    • http://eventled.org/uploads/1/3/0/4/130483138/0c5d90.pdf
    • http://nexgentest.com/uploads/1/3/0/5/130588605/38a2522c01495ab.pdf
    • http://bayareaboatandhomeloans.com/uploads/1/3/0/4/130483400/b8fb7fc126594f0.pdf
    • http://imyanmaradv.com/uploads/1/3/0/2/130288507/xabevet-nolesozujalubok.pdf
    • http://yologirlstucson.com/uploads/1/3/0/5/130541208/7230823.pdf
    • http://danzdleon.org/uploads/1/3/0/5/130538939/2581712.pdf
    • http://www.danapowellenergy.com/uploads/1/3/0/4/130477663/nadarumaxixifuzisune.pdf
    • http://novelstar.net/uploads/1/3/0/8/130814208/5336651.pdf
    • http://javierstreecare.com/uploads/1/3/0/4/130479472/1135725.pdf
    • http://timebtime.com/uploads/1/3/0/7/130775440/8318944.pdf
    • http://webmail.nikkialexanderphotos.com/uploads/1/3/0/7/130739274/9102937.pdf
    • http://www.nubianstriders.com/uploads/1/3/0/9/130969653/48c35a86a4f2.pdf
    • http://pearlporch.com/uploads/1/3/0/6/130604320/3929345.pdf
    • http://splinteredmindshirts.com/uploads/1/3/0/7/130738949/59267.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b91.bin
5a677c92ca88f03f3d63b8281f7e7fafc8b1ef6addcc22f36bdb25d4225e763d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B91 7580 bytes
font_01_sfnt_off00009911.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9911 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.