Malicious PDF — malware analysis report

Static analysis result for SHA-256 97714e00bbefd1f9…

MALICIOUS

PDF

34.1 KB Created: 2020-06-01 14:54:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 532d8ae55f9cebbf7637c29914049a48 SHA-1: a281ed4634c65de441e2e4b942b6fc619aea9098 SHA-256: 97714e00bbefd1f9f10d3b97d6ed53523740ab4cd29dac1dacf0c6c05884631b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains numerous embedded URLs pointing to a network of domains, many of which are structured as SEO-optimized PDF links. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass linking of external PDFs, suggesting a link farm or redirection scheme. The document body, though partially corrupted, contains fragments of these URLs, reinforcing the attack pattern. No scripts were extracted, limiting the analysis to the document structure and embedded links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yvzsr.bpmtc.com/uploads/1/3/0/2/130289775/130289775.html#exposici%25C3%25B3n+de+dinosaurio+ventura+con
    • http://theilovemebrand.com/uploads/1/3/0/6/130639310/ruwode-zesasenado-gosagewoge.pdf
    • http://hardywindowsanddoors.com/uploads/1/3/0/3/130313150/zadidoxefixesifeju.pdf
    • http://mta-sts.mail.rennen-ost.ch/uploads/1/3/1/3/131379726/14baa3d64460b49.pdf
    • http://kristinagrahamphotography.com/uploads/1/3/0/6/130639875/logoxulo.pdf
    • http://lvhomepriority.com/uploads/1/3/1/4/131483068/diritekakopog.pdf
    • http://yvzsr.bpmtc.com/uploads/1/3/0/2/130289775/terms.html
    • http://yvzsr.bpmtc.com/uploads/1/3/0/2/130289775/dmca.html
    • http://yvzsr.bpmtc.com/uploads/1/3/0/2/130289775/policy.html
    • https://tujirunovu.files.wordpress.com/2020/05/jezabuwise.pdf
    • https://fimafof.files.wordpress.com/2020/05/58846181581.pdf
    • https://kafezoruvi.files.wordpress.com/2020/05/9528689557.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005657.bin
c90d4019ffbdeed228689d122e4c7d9300872f62099839d814dfb079c821c7c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5657 11176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.