Malicious PDF — malware analysis report

Static analysis result for SHA-256 8b50818467359119…

MALICIOUS

PDF

43.4 KB Created: 2020-06-02 21:43:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 52c7c5c1d3420efc5fcb5c7900c393d3 SHA-1: 07dbead60c514e9aab23870c1d66fc64a162dd0b SHA-256: 8b508184673591196636eb7680528b80d221d6307912c18a8253db9c9ad91048
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, a common tactic for SEO poisoning and driving traffic to malicious sites. The document body, though partially corrupted, contains text referencing 'Happy wheels. swf full version' and URLs that appear to be part of a link farm. This suggests the primary goal is to redirect users to potentially compromised or malicious web pages.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jasonsjordan.com/uploads/1/3/0/4/130489152/130489152.html#happy+wheels.+swf+full+version
    • http://szambabetonowe-poznan.pl/uploads/1/3/1/3/131398066/wutaj-pomugeduruw.pdf
    • http://twointernational.net/uploads/1/3/0/4/130488955/puxisulobimav.pdf
    • http://frozenyumyum.com/uploads/1/3/0/8/130814393/jajivowuzonodolatebi.pdf
    • http://jasonsjordan.com/uploads/1/3/0/4/130489152/terms.html
    • http://jasonsjordan.com/uploads/1/3/0/4/130489152/dmca.html
    • http://jasonsjordan.com/uploads/1/3/0/4/130489152/policy.html
    • https://dameniv.files.wordpress.com/2020/05/subutuvupejeb.pdf
    • https://dutogixe.files.wordpress.com/2020/06/woluwulumugidewetelowim.pdf
    • https://lomodusemuw.files.wordpress.com/2020/05/koxokizamivirozupok.pdf
    • https://sudevoxe.files.wordpress.com/2020/05/zosideme.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079cc.bin
beef8309490a2af646906f245baeaa55732b8e368c6d4bd1e0377daff44028e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79CC 12056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.