Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d8457f5a21b8330…

MALICIOUS

PDF

29.6 KB Created: 2020-06-08 01:05:12 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 563033d3ea99cad218bbd4b0acf1e16c SHA-1: d032ceef0650715e75c55e43ee3252937276e4ce SHA-256: 8d8457f5a21b833051fbd04ae252a6981eb4985011b87f17739acc373d3957c9
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, many of which appear to be part of a link farm designed to manipulate search engine results or host malicious content. The document body itself is largely unreadable, but the presence of numerous external links suggests a phishing or SEO manipulation attack. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mta-sts.mail.themodestshoptx.com/uploads/1/3/0/7/130775261/130775261.html#national+geographic+learning+unit+1
    • http://yellow-confers.com/uploads/1/3/0/7/130740492/9705131.pdf
    • http://pictorvr.com/uploads/1/3/0/5/130590532/57f0ff44b62ca5a.pdf
    • http://callahanconstructionmn.com/uploads/1/3/0/4/130477490/bf21a235be875.pdf
    • http://fightthetrump.com/uploads/1/3/0/6/130604028/jamalatajikubuvi.pdf
    • http://joepirolomd.com/uploads/1/3/1/6/131606730/fizadusalukum-mogowewamo-sebovitodufekiz-pinujanojusuko.pdf
    • http://sparklepalacekidsspa.org/uploads/1/3/1/6/131637928/2991768.pdf
    • http://meganwirtjes.com/uploads/1/3/0/4/130488223/794feee8fa.pdf
    • http://blackcanyonpet.com/uploads/1/3/0/6/130620536/6244722.pdf
    • https://nedudiwu.files.wordpress.com/2020/06/supuj.pdf
    • https://jefogusiku.files.wordpress.com/2020/06/givadudedino.pdf
    • https://bifariki.files.wordpress.com/2020/06/salupixa.pdf
    • https://bozumar.files.wordpress.com/2020/06/47855812164.pdf
    • https://pawojoteloje.files.wordpress.com/2020/06/31146528170.pdf
    • https://xuwejurojer.files.wordpress.com/2020/06/9029838934.pdf
    • https://megazotawulo183772260.files.wordpress.com/2020/06/kuguxamaloritozusajeginan.pdf
    • https://jolubinej.files.wordpress.com/2020/06/17265889121.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004be6.bin
3f97f6bfe5d9144dc442499d4b0675c713dec73bf9c146408b1560821cb8315c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BE6 8992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.