Malicious PDF — malware analysis report

Static analysis result for SHA-256 8fbaea641f760842…

MALICIOUS

PDF

35.8 KB Created: 2020-06-22 04:59:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c842806102d7f9619be0a8763d3e43d SHA-1: d18a4e39527a3da9d5f1ff1272ed535d0018cc6a SHA-256: 8fbaea641f7608425fb1954b3df759083aa204a8f0006cdc2e9ae88f50782448
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document is designed as a lure, masquerading as a manual for a Bobcat clark 310 to entice users to click on numerous embedded links. These links predominantly point to other PDF files hosted on various domains, suggesting a link farm or a method to distribute further malicious content. No scripts were extracted, and the primary malicious activity observed is the distribution of external links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amanimade.com/uploads/1/3/0/9/130969411/130969411.html#bobcat+clark+310+manual+free+download
    • http://windusgroup.com/uploads/1/3/0/6/130622002/wutod-gapenoxotasuwa.pdf
    • http://ssm-salekhard.ru/uploads/1/3/0/5/130590169/d63db57b813.pdf
    • http://gngpropertiesllc.com/uploads/1/3/0/2/130271259/gijajepidixedamuj.pdf
    • http://blueskull.org/uploads/1/3/0/7/130739336/pamesa_serumi_wexerazekip_jowumiriz.pdf
    • http://cindy4house.com/uploads/1/3/1/0/131070144/jolojalusovop-fivowozumi-wagojaso-gorikofobo.pdf
    • http://cassiusmaintenance.com/uploads/1/3/1/3/131380894/8508412.pdf
    • http://mail.teachenglishstepbystep.com/uploads/1/3/1/6/131637797/besizod.pdf
    • http://daybreakersolutions.com/uploads/1/3/1/3/131380480/4102643.pdf
    • http://beltavolo.com/uploads/1/3/1/6/131636987/5555079.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004bde.bin
cd364af701864c593189d5f16e04c8e4b8e9cd2ecfebc2aef13c3ecfc14af54f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BDE 5524 bytes
font_01_sfnt_off00005e98.bin
1afa6a4121ec0119cd0a89806870703f81c085fe30609547c49964c5c1b53a3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E98 10740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.