PDF malware analysis — malicious · 7f74983b9d8f32ba

MALICIOUS

PDF

77.4 KB Created: 2020-03-08 13:09:58 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 97b1f1437b5dd84fc617c05202e47e40 SHA-1: 508d896ca72d9f936867ceebb62d32959fb6d5ec SHA-256: 7f74983b9d8f32ba0b9d7ecf39d304112d42db7194a6fe3145756e166e4f8f87

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which appear to be part of a link farm designed to manipulate search engine results. The document body contains a call-to-action phrase, suggesting a lure to click these links. The primary intent appears to be directing users to potentially malicious websites hosted on various domains.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://adsl-63-204-18-26.benefitplans.org/uploads/1/3/0/7/130776304/130776304.html#ayyappa+swamy+harivarasanam+songs+in+telugu
- http://websiteofawesomness.com/uploads/1/3/0/6/130604049/joriseduguvagudid.pdf
- http://imagebysharon.com/uploads/1/3/0/2/130291350/wesikifekare-nedanedep-mumimulufok.pdf
- http://survivingmentalhealth.com/uploads/1/3/0/7/130775251/756129fca4604.pdf
- http://www.mugsysfreshroast.shop/uploads/1/3/0/6/130639093/lovofoferixemivif.pdf
- http://midfloridamedia.com/uploads/1/3/0/5/130588430/zanegap-mujebijo-xamijofatowo-milun.pdf
- http://organizingyourworld.co/uploads/1/3/0/5/130539678/cdfa537ab14.pdf
- http://www.jclayhurdle.com/uploads/1/3/0/3/130379336/wubanalofune-xosowidatusim.pdf
- http://canwalk.net/uploads/1/3/0/2/130272355/2809301.pdf
- http://mmarieboutique.com/uploads/1/3/0/6/130620921/tevozo-xoxasuso-tetuxo-melatenumuzaxid.pdf
- http://bamaagents.com/uploads/1/3/0/5/130551729/2670486.pdf
- http://www.youngatartmn.com/uploads/1/3/0/5/130540280/lusebejixab.pdf
- http://namelesstea.com/uploads/1/3/0/3/130379777/0f0e1ed1.pdf
- http://naturesblissjamaica.com/uploads/1/3/0/4/130476732/zexavalexowat_sedufijirojo.pdf
- http://msaimports.com/uploads/1/3/0/4/130488975/b2ccad2fe07035.pdf
- http://sassyscentsandbling.com/uploads/1/3/0/5/130540420/pigijav_jojup_pigosa.pdf
- http://mysticlyon.org/uploads/1/3/0/5/130588487/62b2a.pdf
- http://www.botanicalboutique.us/uploads/1/3/0/6/130604525/4211989.pdf
- http://mail.korinicolewilliams.com/uploads/1/3/0/9/130968912/f454fe0.pdf
- http://www.officinaimmobiliare.com/uploads/1/3/0/8/130814174/roguduxobo-xodotunex.pdf
- http://instrumentsofexpression.net/uploads/1/3/0/5/130539440/resuwofurog_dixudijiwafuzi_nixisavufetuwaf_gebejet.pdf
- http://mta-sts.amateurhorsesales.com/uploads/1/3/0/5/130539758/763215670867.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000107c3.bin` `11468a134de9c4370cbbf7de7fa9473e60ac345b32d4d7de704dd341575d0ead`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x107C3	7680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.