Malicious PDF — malware analysis report

Static analysis result for SHA-256 97f205f25e0440f0…

MALICIOUS

PDF

42.9 KB Created: 2020-06-26 10:26:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5790965bd7be77683ea346a2f42f462f SHA-1: fdef8cc8becf01c8f4bf531af6e9782fc497bcf7 SHA-256: 97f205f25e0440f0ec2e26825874e3eb5c0c01113d4553884fdf94ada28763fb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file is disguised as a document about computer networks but contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links, such as http://bkroystonpublishingstore.com/uploads/1/3/0/7/130739662/130739662.html#computer+networks+basics+pdf, likely serve to redirect users to malicious sites, a common tactic for distributing malware or conducting phishing attacks. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bkroystonpublishingstore.com/uploads/1/3/0/7/130739662/130739662.html#computer+networks+basics+pdf
    • http://b-megfansite.org/uploads/1/3/2/6/132682022/7375af0e.pdf
    • http://studiotibo.com/uploads/1/3/0/4/130488547/pixexofufiwu.pdf
    • http://pegma-scaffolding.com.au/uploads/1/3/1/6/131636988/bf8e9.pdf
    • http://spiritfestfl.com/uploads/1/3/0/9/130969471/52463522e740657.pdf
    • http://vinpreaputine.com/uploads/1/3/1/3/131379740/4990362.pdf
    • http://fangqiwen.com/uploads/1/3/0/3/130323733/8552301.pdf
    • https://tanudatekaj.files.wordpress.com/2020/06/40398027906.pdf
    • https://bemivoz.files.wordpress.com/2020/06/81921213017.pdf
    • https://tepofateg.files.wordpress.com/2020/06/kegawedawotidog.pdf
    • https://pebarufa158109345.files.wordpress.com/2020/06/jokomaguwexe.pdf
    • https://lilomepu.files.wordpress.com/2020/06/garun.pdf
    • https://rirewiza.files.wordpress.com/2020/06/38264317940.pdf
    • https://dukugakux.files.wordpress.com/2020/06/wikogojoj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006939.bin
97821a09a0237899a2cac3ec6c32e83d9e2b923056a765aff9629956183a0be2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6939 5472 bytes
font_01_sfnt_off00007bc6.bin
820d551b4f93fc24c735aaca80874f30a66edc37a7f0fb180b8d213c2e26d1b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BC6 10408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.