Malicious PDF — malware analysis report

Static analysis result for SHA-256 8eebb6ca23dffc56…

MALICIOUS

PDF

42.1 KB Created: 2020-04-10 11:30:54 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 85b90d32697100b0c8ef09cd1d841fee SHA-1: 3260da8aca99044124f0e9f8c9ad952b8e0c8efc SHA-256: 8eebb6ca23dffc5664184df7d90d785a18263b6ebd8baee3f0bc8ea06ac2cb3f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains a large number of external links, a technique often used for SEO spam or to redirect users to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this pattern, indicating a mass of external PDF links. The document body contains seemingly random text and URLs, further supporting the link farm hypothesis. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stmfraldas.com/uploads/1/3/1/4/131483042/131483042.html#volume+of+a+right+circular+cone+is+9856+cm+cube
    • http://mikefosterstunts.com/uploads/1/3/0/5/130544387/3f535.pdf
    • http://mgmalehair.com/uploads/1/3/1/4/131484328/borupatus-pimed-sufazidegojivep-xumapozetolelom.pdf
    • http://nicewerk.com/uploads/1/3/1/4/131437711/kesusimad-kigogas.pdf
    • http://aaaconcretinga.com/uploads/1/3/0/9/130969525/gejex-fapomevivika-ralezotag.pdf
    • http://bitemyselfie.com/uploads/1/3/0/6/130639292/gevij-rukupiwezelapu-videxusiton.pdf
    • http://noblegoldens.com/uploads/1/3/0/6/130605073/fedudipugori-ramojawe-wapenizavadu-gurasavigolila.pdf
    • http://fullcircleinvestmentproperties.net/uploads/1/3/0/6/130620578/mojimurewudede_fenobalat_fejap_depedejim.pdf
    • http://aghomes.org/uploads/1/3/0/4/130435794/noroxo.pdf
    • http://laurenobern.com/uploads/1/3/0/4/130488395/8518521.pdf
    • http://sweatthatfat.com/uploads/1/3/0/5/130551106/zelolimo-gejikevoxisur-tibenu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b61.bin
5efe094564e38588268fb39a58af6b518569716044a9b4aff2b5101bff3355b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B61 7756 bytes
font_01_sfnt_off000079d4.bin
985cbd9ba5b629f1b749d04d852c0eecb5d8ad374186a1044a60da9476420dc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79D4 2788 bytes
font_02_sfnt_off000083a2.bin
287b852d1c1b0334c7d2ab49fe8ac8ac5488f6edefc3e00d5eee83c7048b9cc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83A2 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.