Malicious PDF — malware analysis report

Static analysis result for SHA-256 9320fd5267f21512…

MALICIOUS

PDF

43.0 KB Created: 2020-06-08 03:51:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 82da62d1e0abc1dcc43a210feb8fb8f0 SHA-1: 18f9c6bfb3c9bba4e0f31ba29a4ebcf534e2fcb5 SHA-256: 9320fd5267f21512c89824707f653bf7e53164087acdc2dc8387c554ee2ef374
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or a distribution mechanism for further malicious content. The document body itself is heavily obfuscated and contains some of these URLs, indicating a potential lure or redirection strategy. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://x0113675xstreamtravel.xsideas.com/uploads/1/3/1/4/131483440/131483440.html#d%25C3%25A9finition+prox%25C3%25A9mie+edward+t+hall
    • http://oliviarushdesign.com/uploads/1/3/0/5/130588718/tuzorixaxevusumof.pdf
    • http://mrschillistreats.net/uploads/1/3/0/2/130288448/sakaloguxereju.pdf
    • http://lucedutoit.com/uploads/1/3/1/8/131857431/tokeworuxijome.pdf
    • http://celestialtribes.com/uploads/1/3/0/7/130775688/bupisigujabi_wuzimiseza_sesilewowi_nilofigafev.pdf
    • http://danvillemedicalspa.com/uploads/1/3/1/6/131607163/vamugigozinama_mulubewojadize_nevipemal_navoluv.pdf
    • http://mailserver.bmorecoaching.com/uploads/1/3/0/6/130604780/a6ed1.pdf
    • http://peacefulwarrioryogaschool.com/uploads/1/3/1/3/131379398/2bb15346.pdf
    • http://glorythief.net/uploads/1/3/0/6/130639682/kovepopuzufiv_gepar_ninikixage_widuniraw.pdf
    • http://olechnacampfire.com/uploads/1/3/0/7/130739593/bojiburajugigikedob.pdf
    • https://nadomanope.files.wordpress.com/2020/06/89245181253.pdf
    • https://datunexa.files.wordpress.com/2020/06/zutizonesofapixaku.pdf
    • https://kunemepor.files.wordpress.com/2020/06/wurumenafagomalogove.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079c5.bin
8f9e0b720e262f8e1e3f9cdda7374830ea0d31b4c98ef5b7798912200bcba41d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79C5 11708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.