Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f7a2b609a1de553…

MALICIOUS

PDF

37.9 KB Created: 2020-04-06 08:17:26 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5d1cc7a77ac046493ebced168ab2a09a SHA-1: 18bf1d90046dd3cb405f7baabc106babbc65329d SHA-256: 8f7a2b609a1de553c369f21b0f0a6932629adfe5aba46c98874023c427e0c9fb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Stage Capabilities: Gather Victim Identity Information T1204 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or a distribution mechanism for further malicious content. The document body contains the phrase 'Palabras para quedar embarazada', which may be a lure, but the primary malicious activity appears to be the mass distribution of external links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://harrisonrappaport.com/uploads/1/3/0/4/130476089/130476089.html#palabras+para+quedar+embarazada
    • http://mundyrealty.com/uploads/1/3/1/4/131408854/favetodegin.pdf
    • http://paghosts.com/uploads/1/3/0/9/130969823/xonagifuruvezo-ridipib.pdf
    • http://healthrediscovered.org/uploads/1/3/0/7/130775279/2471163.pdf
    • http://stepuptomike.com/uploads/1/3/0/8/130814611/9673380.pdf
    • http://d-cyfor.com/uploads/1/3/0/5/130547924/tatefulazukafesoji.pdf
    • http://alcantaraorozco.com/uploads/1/3/0/2/130289641/49f5d720530f.pdf
    • http://jenniferwasmer.com/uploads/1/3/0/9/130968926/3165915.pdf
    • http://ayres3d.com/uploads/1/3/0/4/130483537/rekojuvufoxalipe.pdf
    • http://annotalegal.com/uploads/1/3/0/7/130775490/597152.pdf
    • http://indonesian-lessons.com/uploads/1/3/0/5/130589430/4266399.pdf
    • http://liberty-rc.com/uploads/1/3/0/4/130476611/7491153.pdf
    • http://goshenyoutharts.com/uploads/1/3/0/9/130969965/6b867880053c73f.pdf
    • http://fanastynoveltysuperstore.com/uploads/1/3/1/3/131384169/konenepen-nojabisupukil-rititepim-kazusegopewob.pdf
    • http://artofsanctuary.com/uploads/1/3/0/4/130483519/3132276.pdf
    • http://raelelectrical.com/uploads/1/3/1/3/131380688/venukizulemoz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c06.bin
75c0cc0e7f11ec7c5fa6e16eadf350a494c6e852d656cde2a87a539d2ee62e59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C06 8368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.