Malicious PDF — malware analysis report

Static analysis result for SHA-256 9199d77377f91477…

MALICIOUS

PDF

43.3 KB Created: 2020-03-28 03:43:02 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8216e035d10ec097594428c51b1e6b2a SHA-1: 4e3c807fbacc40ccc5af405566513f84e846acba SHA-256: 9199d77377f91477b2aab106d7acee8c74a9a503f2952f30a8d1f8a5aead1a09
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of external links, a technique often used for SEO manipulation or to redirect users to malicious content. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, indicating a likely attempt to drive traffic to a network of related domains. No scripts were extracted, and the document body is largely unreadable, making it difficult to determine a more specific attack pattern beyond the link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://opssecurityagency.com/uploads/1/3/1/3/131381497/131381497.html#simbologia+electronica+con+descripcion
    • http://www.academyofintegratedtherapies.com/uploads/1/3/0/6/130604564/mebagemosulupubomuzi.pdf
    • http://cpanel.christinaherman.com/uploads/1/3/0/4/130483178/pamifuwov.pdf
    • http://mchenryc.net/uploads/1/3/0/3/130323928/semewu.pdf
    • http://howe-online.com/uploads/1/3/0/8/130874035/wopafolusimuforokeru.pdf
    • http://alexandralafleur.com/uploads/1/3/0/6/130605119/7afb1.pdf
    • http://mynorthstarcares.com/uploads/1/3/0/4/130483753/1368149.pdf
    • http://www.waltertherobotmaker.com/uploads/1/3/1/0/131070434/fidiwude.pdf
    • http://better-business-works.com/uploads/1/3/0/8/130813042/xenevapumititejufat.pdf
    • http://curiousgigi.com/uploads/1/3/0/7/130739603/7504654.pdf
    • http://fowleresearch.com/uploads/1/3/0/8/130874257/lemexebefis.pdf
    • http://msemmashairgrowth.com/uploads/1/3/0/8/130813557/mivijiwedevulozozet.pdf
    • http://powerwashsystems.net/uploads/1/3/0/3/130324164/b190eb34666e497.pdf
    • http://www.classiccitytreeservice.com/uploads/1/3/0/4/130435711/fc3fa5894.pdf
    • http://illuminatedevent.com/uploads/1/3/0/7/130739060/ffa8b28bdbc153c.pdf
    • http://www.nabhthefam.com/uploads/1/3/0/5/130546519/nobadunajeli.pdf
    • http://aquafloradesign.com/uploads/1/3/0/6/130605111/961ac51c81d11a.pdf
    • http://heartyvendingsolutions.com/uploads/1/3/0/5/130590122/8814190.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007257.bin
980ea4548560e156a32463e1b5e6d53c9f667e1d94803450a8376a2cd4028cd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7257 9408 bytes
font_01_sfnt_off00009457.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9457 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.