Malicious PDF — malware analysis report

Static analysis result for SHA-256 94412320e685e253…

MALICIOUS

PDF

36.7 KB Created: 2020-06-15 00:45:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5613d6e469c86ba6b1cff318b41bb21d SHA-1: 69d8436c8412473169bed017e110c49db62e68a4 SHA-256: 94412320e685e253bb3d64f7e44338e51dc4a087e70af99fe693f64f8ca813c2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The primary URL points to 'http://eviescakery.com/uploads/1/3/1/3/131380258/131380258.html#lower+back+physiotherapy+exercises+for+pain', which appears to be a lure. The majority of the links lead to PDF files hosted on various domains, suggesting a coordinated effort to redirect traffic or host further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eviescakery.com/uploads/1/3/1/3/131380258/131380258.html#lower+back+physiotherapy+exercises+for+pain
    • http://cpanel.storgebhs.com/uploads/1/3/1/4/131453724/7792943.pdf
    • http://kineotransportgroup.com/uploads/1/3/0/4/130476075/nekom.pdf
    • http://kruti2017.com/uploads/1/3/0/5/130551728/kemixekexobowu_xarob_wovadowemotabap.pdf
    • http://auxlegacy.com/uploads/1/3/0/2/130271078/pozowa.pdf
    • http://mail.sermujersma.com/uploads/1/3/1/3/131379059/mejikega.pdf
    • http://3angelsmessageministry.com/uploads/1/3/0/5/130551777/luxado-divobixufiv-jotasujo-takibafumezusov.pdf
    • http://brandoned.com/uploads/1/3/0/7/130738975/bofenomidodod-tazare.pdf
    • http://ndonnawise.net/uploads/1/3/0/5/130538875/xaloxegi_biful_lebobotipuso_jorupo.pdf
    • http://cohencollegecounseling.com/uploads/1/3/1/0/131070904/8453690.pdf
    • http://mail.speluqueros.com/uploads/1/3/0/5/130550910/87509f0f841.pdf
    • http://mail.sebolt.com/uploads/1/3/0/2/130288394/3555908.pdf
    • http://cosiolandscaping.com/uploads/1/3/0/6/130604823/5141415.pdf
    • https://gajedefolig.files.wordpress.com/2020/06/28584581475.pdf
    • https://rufofuvokije.files.wordpress.com/2020/06/luwolirusixuxonijivirovom.pdf
    • https://favogevi.files.wordpress.com/2020/06/53493463365.pdf
    • https://masobovixapa.files.wordpress.com/2020/06/bipasemuwiwa.pdf
    • https://raneguwuvaxa199338652.files.wordpress.com/2020/06/40532137542.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063a7.bin
d5772a84d8007f458e2f9f8a74d062ea7fcafeafc743feb9bfe50533ea630af5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63A7 10444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.