Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c6104913104d063…

MALICIOUS

PDF

44.1 KB Created: 2020-03-26 08:10:20 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 845c1636d152765536653fa91dc1a74a SHA-1: 25c9528d1a16f8eeeef388d27274590b2ba01587 SHA-256: 8c6104913104d063a38f0a277e1344845acffef5f3ea8faef27867d6739e0e8e
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or SEO poisoning attack. The document body mentions 'Cub cadet lt1046 air filter' and includes a URL pointing to a related HTML file, indicating a lure to disguise the malicious intent. The primary goal appears to be directing users to a network of external sites, likely for malicious redirection or content distribution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://delgeinc.com/uploads/1/3/0/2/130272266/130272266.html#cub+cadet+lt1046+air+filter
    • http://organictherapeuticbodywork.com/uploads/1/3/0/6/130639263/bipumawu-jufuxa.pdf
    • http://bfmix.com/uploads/1/3/0/5/130543198/moxiravanajub-gisasanojijemu.pdf
    • http://audreynewmont.net/uploads/1/3/0/2/130288962/cb7158020eee.pdf
    • http://sleepyknightsblog.co.uk/uploads/1/3/0/7/130738631/jipexas_fakisebiwave_gugulenivifitif.pdf
    • http://numberoneagira.com/uploads/1/3/0/5/130540567/1893560.pdf
    • http://scw6.whedonstudies.tv/uploads/1/3/0/8/130814179/3896653.pdf
    • http://www.mechanicalpreconstruction.com/uploads/1/3/0/5/130588971/34af52e4fe06ac8.pdf
    • http://aimvend.com/uploads/1/3/0/7/130775870/fujenezu.pdf
    • http://cherubgame.com/uploads/1/3/0/5/130588842/zamasenokelafop-fixote-giwapezepe.pdf
    • http://newburyparkacupuncture.com/uploads/1/3/0/2/130291623/858946.pdf
    • http://beautesache.ru/uploads/1/3/0/2/130272260/rubulizudiwu.pdf
    • http://www.medspalove.com/uploads/1/3/0/7/130776253/bafixogimo_nosezomilatasez_pufido.pdf
    • http://salonweststudios.com/uploads/1/3/0/6/130621686/d98b67f0dffb3.pdf
    • http://georgeisaacharris.co.uk/uploads/1/3/0/6/130604091/d4d022e1f.pdf
    • http://poodlepalooza.com/uploads/1/3/0/6/130603865/jepaxutonij_wapidipifi_xagixakixizeva.pdf
    • http://sgtreasure.com/uploads/1/3/0/6/130604256/9a8d5d02e002.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000822f.bin
4ceb4e464f025d8a9fd68d82a7e42c709f9e0db4250fbdd3fbfb7d683e1a6842		 pdf-font-stream PDF embedded font (sfnt) at offset 0x822F 8780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.