Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e59e16a2becf7d1…

MALICIOUS

PDF

33.5 KB Created: 2020-04-12 22:51:52 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 91eec2a485788f06709f9e86165c12de SHA-1: 8237cc0bb444f5128e30a173304e857eaf50bfcd SHA-256: 8e59e16a2becf7d1e0103017172b17a859c7586aeb3c5e4c9c0f7b6ccf47a18f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or distribution mechanism. The embedded URLs and the document body content, though partially corrupted, reinforce the presence of these external links. No scripts were extracted, limiting further analysis of direct payload execution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://baliliveentertainment.com/uploads/1/3/1/6/131606876/131606876.html#tramites+de+servicio+social+de+cbtis+56
    • http://thepeacefulmarket.com/uploads/1/3/1/4/131482894/rogewevovanolowajogi.pdf
    • http://pblaeh.com/uploads/1/3/0/2/130289172/3a6afa626c58cdb.pdf
    • http://phoenixpublicationservices.com/uploads/1/3/1/3/131398359/pinekeroliju-xogofe-falubopeboguxo.pdf
    • http://nabssociety.org/uploads/1/3/1/1/131163832/2063be240f12ec3.pdf
    • http://lowermytvcost.com/uploads/1/3/0/7/130739505/2367915.pdf
    • http://tastyorwasty.com/uploads/1/3/0/8/130874533/fc569da.pdf
    • http://studiotasca.eu/uploads/1/3/1/1/131164205/3ab81d2a38.pdf
    • http://manningelec.com/uploads/1/3/0/6/130620524/5332237.pdf
    • http://prehistoriceshop.com/uploads/1/3/1/3/131398362/valirenufisowodobel.pdf
    • http://paclistinglive.com/uploads/1/3/0/2/130289166/3e18e8f4d.pdf
    • http://vk-podarki.site/uploads/1/3/0/5/130589094/6875481.pdf
    • http://indigochildskateboards.com/uploads/1/3/0/7/130775951/71a9657a60078.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a0b.bin
29895cc712cc2671370bf63be2c16710a1a9d0a1b6256ccd40916d778c4df9b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A0B 8300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.