PDF malware analysis — malicious · 9553ec1151e53026

MALICIOUS

PDF

58.7 KB Created: 2020-03-11 02:58:04 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 3d4738ca492b0e4e144767f938526aca SHA-1: 04def49564ad8d41a56e8836152d5161a4fb8cee SHA-256: 9553ec1151e53026e2c450662202f921e161be01c78cd0722b90d0245d2c8d64

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF document contains a large number of external links, characteristic of a link farm or SEO spam. The document body mentions 'Angry bird crochet hat pattern with ear flaps', suggesting a lure to attract users. The embedded URLs likely lead to further malicious content or phishing sites. No scripts were extracted from this sample.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://etiology71.pleasingfood.com/uploads/1/3/0/5/130589121/130589121.html#angry+bird+crochet+hat+pattern+with+ear+flaps
- http://hostmaster.taylorwise.com/uploads/1/3/0/6/130604885/tizisutob-zerulog-mesenoripe.pdf
- http://dns2.rubenslamel.com/uploads/1/3/0/4/130488217/ligagozok-sowunekiz.pdf
- http://ghstyle.es/uploads/1/3/0/2/130271159/jomuvasabijise-mejowedugitob-sefojibetegeg-sotiwijijufap.pdf
- http://braasch-sicherheit.com/uploads/1/3/0/2/130291536/112b9d70.pdf
- http://server2.districtsolutions.net/uploads/1/3/0/7/130776221/6517784.pdf
- http://bretttesttest.com/uploads/1/3/0/8/130814014/6313288.pdf
- http://mvillstyles.com/uploads/1/3/0/6/130621244/018de80.pdf
- http://www.scihuntingtonbeach.davidmichaeldesigns.com/uploads/1/3/0/2/130272291/3892487.pdf
- http://nextpathfinance.org/uploads/1/3/0/7/130739933/lazorad.pdf
- http://www.prs4wealthcreation.net/uploads/1/3/0/5/130588841/4528395.pdf
- http://www.vandijkprojectassistance.nl/uploads/1/3/0/6/130639212/tofevu_zineguwiwomov.pdf
- http://getairpower.com/uploads/1/3/0/2/130288502/viviwi.pdf
- http://grimesthorpe.com/uploads/1/3/0/4/130435667/9bc7bcb544.pdf
- http://theforagedfern.com/uploads/1/3/0/7/130776406/c06ae37c56477.pdf
- http://mikeswaterworks.com/uploads/1/3/0/6/130620441/puruzavunubuluj-nopeg-gufegumazu-dakod.pdf
- http://dare2bdiffmusic.com/uploads/1/3/0/2/130270895/44bad.pdf
- http://www.reverserepo.net/uploads/1/3/0/3/130323421/5039917.pdf
- http://dalal.la/uploads/1/3/0/6/130604557/tesafi.pdf
- http://www.ncp-church.org/uploads/1/3/0/5/130588923/09a040a66.pdf
- http://aandshardwoodflooring.com/uploads/1/3/0/8/130874075/fobexinasix.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a956.bin` `8cfe9b31aff3995b65fb9b6093272e2c5dcfc2d2f747c6eb652580df444a54b7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA956	8432 bytes
`font_01_sfnt_off0000c9fb.bin` `d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC9FB	2616 bytes
`font_02_sfnt_off0000d32b.bin` `83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD32B	1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.