Malicious PDF — malware analysis report

Static analysis result for SHA-256 8dd410470c26e927…

MALICIOUS

PDF

45.7 KB Created: 2020-04-03 08:26:21 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 810ae340d5b67c76089c154d98cdbaec SHA-1: d25dc48724c2d66ae419c17e22aa5ff5179f2fa4 SHA-256: 8dd410470c26e9273bf69d832600e92f345147da0f14ac52e880e47d2310f2da
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, many of which point to other PDF files on different domains. This suggests a link farm or SEO poisoning tactic designed to drive traffic to a network of sites. The document body is heavily obfuscated and contains embedded URLs, further supporting the link farm hypothesis. No scripts were extracted, and the primary malicious activity appears to be the redirection to external content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hypnose-kinderwunsch.com/uploads/1/3/1/1/131164394/131164394.html#unidad+de+carga+electrica+en+el+sistema+cgs
    • http://joyhomewarranty.us/uploads/1/3/0/4/130435875/5673719.pdf
    • http://charlotte-iphone-repair.com/uploads/1/3/0/5/130551338/voxeronebogap.pdf
    • http://discoverreps.com/uploads/1/3/0/6/130621279/vawesinuwuwol_tipojenefoxar_xonasoderiso_giwedodaxo.pdf
    • http://92vs28.com/uploads/1/3/0/6/130639803/6787815.pdf
    • http://fiddlestikscreativemarket.com/uploads/1/3/0/5/130539757/8405564.pdf
    • http://ingolfalwaysandnever.com/uploads/1/3/0/6/130622038/jipapanisoxe.pdf
    • http://cfhmhawaii.com/uploads/1/3/1/4/131407968/98371a1c1f.pdf
    • http://bokningskarta.se/uploads/1/3/0/3/130323518/kozapamedoj.pdf
    • http://hunterlove.com/uploads/1/3/0/5/130543685/2a5fba5fb7e64.pdf
    • http://augenblickcenter.com/uploads/1/3/0/2/130270889/2180169.pdf
    • http://hostorchestra.com/uploads/1/3/0/5/130589058/radazomowafum_gulokomajiso_sasigiwalawimen_dofozudalufa.pdf
    • http://pattyperfumesimports.com/uploads/1/3/1/4/131438156/zomuruwovaze_mejowit_fixiranere.pdf
    • http://dianeskousen.com/uploads/1/3/0/8/130814966/xodebepesodoj.pdf
    • http://surreypersonalbest.com/uploads/1/3/0/5/130542727/bf749ca3.pdf
    • http://edsoncustomcruisers.com/uploads/1/3/0/4/130492771/dumaxux.pdf
    • http://bentleyspaintingandpressurewashing.com/uploads/1/3/0/2/130271002/bebox_nezuvitesuro_wedikeb.pdf
    • http://jllamericasgis.com/uploads/1/3/0/6/130604838/mogororatisubo.pdf
    • http://dxme.org/uploads/1/3/0/8/130814923/a96055a4c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000705f.bin
36e1442757a3bb0562199a772e4b068c1ef4e2a9010c16f36db1f1994a86b9d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x705F 9528 bytes
font_01_sfnt_off000092a3.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92A3 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.