Malicious PDF — malware analysis report

Static analysis result for SHA-256 8eb638dcac996eb7…

MALICIOUS

PDF

30.8 KB Created: 2020-06-02 02:46:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 605ac4cb21f3c2bd3087e9ed77b742e6 SHA-1: 5185f7535ed305d29c555645ed659401f0b77946 SHA-256: 8eb638dcac996eb7de1438e85ac71bedc6b510f67b960c1f8344ea20f87eb5df
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many pointing to PDF files on unrelated domains. This behavior is indicative of a link farm or a mechanism to distribute malicious content. The primary heuristic identified a link farm with numerous external PDF links, suggesting a coordinated effort to redirect users. While no scripts were extracted, the sheer volume and nature of the embedded URLs strongly suggest a malicious intent to drive traffic to potentially compromised or malicious sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://akioraconsulting.com/uploads/1/3/0/2/130291040/130291040.html#sanyo+dp19649+manual
    • http://imgsocial.info/uploads/1/3/0/5/130551486/votexutunumilij_sokab.pdf
    • http://_dmarc.mx.shreveportseo.com/uploads/1/3/0/5/130540823/dagisupuridaxi.pdf
    • http://charliesdeli.net/uploads/1/3/0/3/130324005/7deb7efe.pdf
    • http://barriocuarto.com/uploads/1/3/1/6/131637362/663649.pdf
    • http://essentialritualsandwellness.com/uploads/1/3/0/8/130874680/3309998.pdf
    • http://taylorenglish2.com/uploads/1/3/1/6/131637333/ravizuso.pdf
    • http://completeimage.net/uploads/1/3/1/8/131871994/d19cd.pdf
    • http://akioraconsulting.com/uploads/1/3/0/2/130291040/terms.html
    • http://akioraconsulting.com/uploads/1/3/0/2/130291040/dmca.html
    • http://akioraconsulting.com/uploads/1/3/0/2/130291040/policy.html
    • https://zopowozofoje.files.wordpress.com/2020/05/vawowafebunisudarowuzus.pdf
    • https://sosasifen.files.wordpress.com/2020/05/nemoxudevuwavotobu.pdf
    • https://womotisuxapo.files.wordpress.com/2020/06/13975446518.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e14.bin
8a8af26e2cb925473d1a45d5051756e89195f3827f24ec2acb9ea3b0d942bb54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E14 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.