Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ec622d9019458cd…

MALICIOUS

PDF

35.1 KB Created: 2020-06-04 21:07:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 526a197b4d6ec1f2675573f5c18d9d96 SHA-1: 1c7be24899cfce0e667412f0ca1aea1fde340095 SHA-256: 7ec622d9019458cde861f10f4ddfe1bd5e489042f822515c1d5880eb102f394e
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links pointing to various domains, a technique often used for SEO manipulation or to distribute malicious content. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this pattern, indicating a likely attempt to drive traffic to a network of sites. The document body text, though partially corrupted, includes a URL that aligns with this observation. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://teammojo.pink/uploads/1/3/2/3/132302833/132302833.html#read+the+death+of+grass+online
    • http://houseforsalellc.com/uploads/1/3/0/6/130604632/rasenibuluwup.pdf
    • http://gcpottswelding.com/uploads/1/3/0/5/130542953/tagabal.pdf
    • http://godscreationsjewelers.co/uploads/1/3/1/4/131437106/lakusegafulek.pdf
    • http://eosfinancialplanning.com/uploads/1/3/1/8/131857057/javifipu.pdf
    • http://cbdproductsusa.org/uploads/1/3/0/9/130969298/680b4.pdf
    • http://aboriginalart.services/uploads/1/3/1/4/131438091/3016462.pdf
    • http://ucsconstructionsllc.com/uploads/1/3/1/6/131637649/muvebarala_dimumeg.pdf
    • http://rcmarketingonline.com/uploads/1/3/0/2/130291491/saforitusuximajabiji.pdf
    • http://teammojo.pink/uploads/1/3/2/3/132302833/terms.html
    • http://teammojo.pink/uploads/1/3/2/3/132302833/dmca.html
    • http://teammojo.pink/uploads/1/3/2/3/132302833/policy.html
    • https://napipivo.files.wordpress.com/2020/06/zonebulugeduxeveboxopetuz.pdf
    • https://gagonulo.files.wordpress.com/2020/06/24038905498.pdf
    • https://tokisize.files.wordpress.com/2020/06/rujasogulepen.pdf
    • https://polazukewex972860323.files.wordpress.com/2020/06/vitilivumogegafados.pdf
    • https://tezufaxaji.files.wordpress.com/2020/06/damenak.pdf
    • https://wekujepomope.files.wordpress.com/2020/06/86642482501.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006035.bin
e069d04d049d8515b873c16b71cd04fb047706a20e356c243e980eecffee962f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6035 9548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.