Malicious PDF — malware analysis report

Static analysis result for SHA-256 84a587c5c4c5f120…

MALICIOUS

PDF

74.5 KB Created: 2020-03-29 01:47:39 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5d64b1877fec6271c1f4f218fb618576 SHA-1: 9e0b2770e19f45cfd6b566349cb74c8488abd37e SHA-256: 84a587c5c4c5f1207d97007600529eac2a6f1784f71a2eec6d88b5e17220152c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF document contains a lure related to Microsoft Word functionality to disguise its true purpose. It hosts a large farm of external PDF links, indicated by the 'PDF_SEO_LINK_FARM' heuristic, suggesting a redirection or content-loading mechanism. The primary external URL points to an HTML file that likely serves as a landing page or further redirection.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-72-13.mgwnet.com/uploads/1/3/0/7/130740536/130740536.html#como+insertar+una+tabla+de+contenido+en+word+2011+mac
    • http://thespeckledbird.com/uploads/1/3/0/4/130488616/780d78bc.pdf
    • http://oscurostudio.com/uploads/1/3/0/8/130873921/59e156246e40c9.pdf
    • http://blessbotanicals.com/uploads/1/3/0/3/130323522/a442dc3115946.pdf
    • http://ryanhuff.org/uploads/1/3/0/5/130551294/9789048.pdf
    • http://herbalfacefoodus.com/uploads/1/3/0/5/130551294/7da312c7b1eb2c3.pdf
    • http://edreypoolrepairs.org/uploads/1/3/0/8/130814208/99b94421ec7b6e.pdf
    • http://hillaryjzaranti.com/uploads/1/3/0/3/130312952/8006231.pdf
    • http://americasawaycolors.com/uploads/1/3/0/7/130776492/6335871.pdf
    • http://tawl.missouri.org/uploads/1/3/0/7/130739061/f027e37bec5dc.pdf
    • http://rchristieanimation.com/uploads/1/3/0/5/130539642/210076.pdf
    • http://codilisandstawiarski.com/uploads/1/3/0/7/130740066/0a279d18e4f5d78.pdf
    • http://www.tomyarwood.com/uploads/1/3/0/4/130476327/9222741.pdf
    • http://kenandlila.com/uploads/1/3/0/8/130814083/zobanutegolunoli.pdf
    • http://www.visualgoo.com/uploads/1/3/0/4/130476628/28b40cb2.pdf
    • http://afrikproject.org/uploads/1/3/0/2/130289502/8344712.pdf
    • http://cambridgecitymainstreet.org/uploads/1/3/0/5/130543740/082a28f3efb0cb.pdf
    • http://www.unrivalledathletics.com/uploads/1/3/0/2/130271177/vewinod.pdf
    • http://kicknsweet.com/uploads/1/3/0/6/130620990/2177dae.pdf
    • http://link3technologies.net/uploads/1/3/1/3/131382673/ec934403811f3.pdf
    • http://cpanel.alchemyyoga.ca/uploads/1/3/0/7/130739493/02e2de.pdf
    • http://threemovieguys.com/uploads/1/3/0/2/130270752/9547729.pdf
    • http://mikehenneberger.com/uploads/1/3/0/7/130738835/3015895.pdf
    • http://lendreach.net/uploads/1/3/0/5/130590531/tigelero.pdf
    • http://deardaisyco.com/uploads/1/3/0/5/130539837/dd1999dea45.pdf
    • http://gmkf.us/uploads/1/3/0/7/130739459/8f9a6.pdf
    • http://gmkf.us/uploads/1/3/0/7/1307
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off0000e130.bin
e56b1bd9a3e6c08b74b7d062a2a9386b1f13b16589c8063058fa977167be4a96		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE130 19848 bytes
font_00_sfnt_off00007a11.bin
ecf52d12df49d5ed18eeb32ed4f2c9f32a01cdd7e05491a9d6b443ffe3fd8c09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A11 11172 bytes
font_01_sfnt_off0000933a.bin
a6acff67cddf565ebb52587b28a2a672230de205d1c346d6331cb185892757cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x933A 11024 bytes
font_02_sfnt_off0000b6b9.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB6B9 2652 bytes
font_03_sfnt_off0000bff9.bin
49642996ad084c3c2d858195d996db89afb5efd0f3afc716cf63888d33333882		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBFF9 10208 bytes
font_05_sfnt_off0001025c.bin
97a988d4aa06b3f0628311a900ee3bd59a9accd56e2c42fcaa2a72d58b60baac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1025C 7752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.