Malicious PDF — malware analysis report

Static analysis result for SHA-256 932575850e473ea4…

MALICIOUS

PDF

32.3 KB Created: 2020-06-07 21:40:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 968a1d8684f320bf0bab2894ad9dfc98 SHA-1: 44d06bc924f30ecfcda77c58cdebcd866cdc3676 SHA-256: 932575850e473ea450e952eee287af69add4ec39e142711e40f4d04349d08885
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, many of which appear to be part of a link farm. The document body contains fragmented text and URLs, suggesting it's designed to host or redirect to these external resources. The primary intent appears to be SEO manipulation or distributing content via a link farm, rather than direct exploitation within the PDF itself.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dedicated-22.pleasingfood.com/uploads/1/3/0/3/130323213/130323213.html#gamefaqs+fallout+4
    • http://mail.haitianheatspice.com/uploads/1/3/1/1/131164440/sobosenufexomuwiputi.pdf
    • http://joshwsmall.com/uploads/1/3/0/5/130551670/luzen.pdf
    • http://greyriderfordixiecom.com/uploads/1/3/0/3/130323896/xegame.pdf
    • http://humanadvocates.com/uploads/1/3/0/5/130551467/dd86f8ff470fd32.pdf
    • http://hostmaster.fosterscommercials.com/uploads/1/3/1/4/131406386/4722385.pdf
    • http://rrsonsremodelingllc.com/uploads/1/3/1/8/131871921/4294131.pdf
    • http://greenapedesign.com/uploads/1/3/0/2/130288926/84b8b73adfb587.pdf
    • http://kristinnevans.com/uploads/1/3/0/6/130639540/pumuxawab-wizamekokoge.pdf
    • https://bukelemew.files.wordpress.com/2020/06/mewutebaxobovuzidudemo.pdf
    • https://nudokux.files.wordpress.com/2020/06/vegikidigexa.pdf
    • https://duxogij.files.wordpress.com/2020/06/jitivojakuxupu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005393.bin
be6b05a48dcc59ea329d671ade96ca00f59579b29651d5e996c740f862e0128a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5393 10220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.