Malicious PDF — malware analysis report

Static analysis result for SHA-256 96ff2dffd50cc8e0…

MALICIOUS

PDF

60.9 KB Created: 2020-03-11 14:08:34 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8b52a977d00bc9118de27022c62f0236 SHA-1: f4060f43fe28ed4c5c84e78b81973430a1b68e25 SHA-256: 96ff2dffd50cc8e0ae385e7d40d250412ee47a9ad1ed6cccd32060617b84a59f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a distribution point for further malicious content. The embedded URLs and the document body text, though partially obfuscated, reinforce the presence of these external links. The primary attack pattern appears to be directing users to a network of potentially compromised or malicious websites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yinghuangguojixinyuhao.br3h.com/uploads/1/3/0/8/130813764/130813764.html#agaricus+species+definition
    • http://bsuspringtraining.com/uploads/1/3/0/6/130604420/kajevezok.pdf
    • http://vidcorp.net/uploads/1/3/0/5/130540504/kotob.pdf
    • http://cookiesandfailure.com/uploads/1/3/0/7/130740196/xurunulukexelun-xisubekigipifex-bubesedemebev.pdf
    • http://cnoctem.com/uploads/1/3/0/7/130776253/ruzimivezupufunoge.pdf
    • http://www.highlandutahcarpetcleaning.com/uploads/1/3/0/5/130551153/birajetiboxuxuloseb.pdf
    • http://rzlifecoach.com/uploads/1/3/0/5/130542865/bewojirujotirog_rimilifixije_muvaji_fomelesijifinod.pdf
    • http://mountephraimtaxpayersfirst.com/uploads/1/3/0/5/130542948/7403762.pdf
    • http://colleenajohnston.com/uploads/1/3/0/7/130738526/diboz.pdf
    • http://beeldschermverhuur.eu/uploads/1/3/0/5/130550955/jefud-wopeposame.pdf
    • http://legalpaws.com/uploads/1/3/0/2/130289186/c3f9b0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a0b9.bin
291d1b514cdd6a3b05186c002003b3b1b007fa2f41c1d3006bf8017d09f60535		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0B9 9140 bytes
font_01_sfnt_off0000c272.bin
1d6d4b09b83b01209a8644cc285e5adf16950f28039e11725979ba7011779f79		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC272 4476 bytes
font_02_sfnt_off0000d0a1.bin
6db6d9634b9937aa3169e45592670fe9753bced9edc690faa32395a665744885		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0A1 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.