Malicious PDF — malware analysis report

Static analysis result for SHA-256 8aa8f888125f12ba…

MALICIOUS

PDF

43.5 KB Created: 2020-03-07 13:36:04 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 52a3656b5b6e2d65c6adb3ed22f0605f SHA-1: f994faf2993f95296a3ba3e6904e32c3433968c0 SHA-256: 8aa8f888125f12bafcd770d5bee4b5286eb42cb2c72f8d5b7ac2087827a76a97
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO manipulation tactic. The document body text is largely unreadable garbage, but the presence of the URL http://www.dailyherbs.eu/uploads/1/3/0/2/130288798/130288798.html#explain+the+scarcity+definition+of+economics+and+assess+it within the document body and the numerous PDF links indicate a pattern of directing users to external resources, potentially for malicious purposes.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dailyherbs.eu/uploads/1/3/0/2/130288798/130288798.html#explain+the+scarcity+definition+of+economics+and+assess+it
    • http://petalstopins.com/uploads/1/3/0/6/130620490/01b148a.pdf
    • http://www.silveraeromusic.page/uploads/1/3/0/6/130639449/kiwusi.pdf
    • http://johngeneralconstruction.com/uploads/1/3/0/7/130739405/rebejowixorutu.pdf
    • http://aerialstuntscootersfullforce.com/uploads/1/3/0/6/130604881/67877b619d1.pdf
    • http://aledger.net/uploads/1/3/0/3/130379069/c667ec565d77.pdf
    • http://texasbackhaul.com/uploads/1/3/0/5/130538833/3886073.pdf
    • http://kidsfiresafetytips.net/uploads/1/3/0/2/130287394/5083634.pdf
    • http://phonzup.net/uploads/1/3/0/7/130775309/2269077.pdf
    • http://www.dogwalkinglc.com/uploads/1/3/0/7/130739968/wajijemusagejiwu.pdf
    • http://cafeessencebendigo.com/uploads/1/3/0/3/130324288/fewaxubak.pdf
    • http://simpledelisheats.com/uploads/1/3/0/2/130288498/fulifusip-morupawa-pidox-sofali.pdf
    • http://oakroaster.com/uploads/1/3/0/7/130740572/rufasowajusi.pdf
    • http://www.anyamodel.com/uploads/1/3/0/5/130588834/ruvudumelivopu_mitewotebuwisex_wunus.pdf
    • http://www.pulltheadvertisements.com/uploads/1/3/0/5/130539825/473fbd.pdf
    • http://livecellphone.com/uploads/1/3/0/8/130874606/a8354.pdf
    • http://ramadainnsuitestomsriverlakewood.devsite-1.com/uploads/1/3/0/7/130739746/79e74610104e6.pdf
    • http://test-website-version.com/uploads/1/3/0/9/130969339/4c0c4df911ea7b.pdf
    • http://bxs.jesuschristandmarymagdalene.org/uploads/1/3/0/9/130969062/9782308.pdf
    • http://cup054.com/uploads/1/3/0/8/130814642/91f35cf33.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006fc0.bin
f612fe72560ae397e898c46e640590b783638f1e76ac59dde2455a41474144ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FC0 7204 bytes
font_01_sfnt_off00008c0c.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C0C 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.