Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fd90f8112c3388e…

MALICIOUS

PDF

47.0 KB Created: 2020-06-07 10:49:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5de10b95a0950ae238369375d4361f32 SHA-1: 94f4aaaefdbff77a0d1ff211c49f6ad29529ccb3 SHA-256: 7fd90f8112c3388e19966d77fc3607ace79a4f9de38c2af3601747e438d3bda8
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to similarly structured URLs on different domains. The document body, though truncated, includes text related to 'academic expectations' and 'stress inventory', suggesting a lure to disguise the malicious intent. The primary heuristic indicates a 'PDF_SEO_LINK_FARM' with 30 external links, suggesting a tactic to distribute malicious content or phish for credentials through a network of seemingly unrelated websites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mx.emeraldcityelectric.com/uploads/1/3/0/5/130589337/130589337.html#academic+expectations+stress+inventory+pdf
    • http://skilledcraftsman.org/uploads/1/3/0/7/130775871/lafogi.pdf
    • http://newportbayconstruction.com/uploads/1/3/1/1/131163955/gogogiwi.pdf
    • http://righteousstrategiesllc.com/uploads/1/3/0/7/130739001/2260683.pdf
    • http://jindubaijiale.br3h.com/uploads/1/3/0/4/130436050/vugedogov.pdf
    • http://garciamsband.org/uploads/1/3/1/3/131398313/f63253.pdf
    • http://suntnenorocit245.com/uploads/1/3/0/6/130639751/6c90334.pdf
    • http://galalogistic.com/uploads/1/3/0/2/130289630/1811519.pdf
    • http://andreveterinarygroup.com/uploads/1/3/1/0/131071220/duwalerowemu_pidimedaj_tikipimuruk.pdf
    • http://tortugamobile.com/uploads/1/3/1/1/131164002/zusem.pdf
    • https://jorasemop.files.wordpress.com/2020/06/nuzevelofaz.pdf
    • https://bekururumema.files.wordpress.com/2020/06/xojubuwafaxivuk.pdf
    • https://marobafemixu.files.wordpress.com/2020/06/kisube.pdf
    • https://nunobum.files.wordpress.com/2020/06/femasejaderuranezoruwojo.pdf
    • https://livobaxuw793041599.files.wordpress.com/2020/06/18302774199.pdf
    • https://zaloguko.files.wordpress.com/2020/06/zirovukumosebatolonodebi.pdf
    • https://vedusax.files.wordpress.com/2020/06/98317352244.pdf
    • https://wakogokanexu.files.wordpress.com/2020/06/28584924648.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008b86.bin
5f9541992bc69a1a8189b48a38db50d36d5bf9a827d885ec97eecbdcedde6614		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B86 10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.