Malicious PDF — malware analysis report

Static analysis result for SHA-256 9854e12b39621e38…

MALICIOUS

PDF

36.5 KB Created: 2020-04-09 11:45:37 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 60f7ab307de3586254c886c003729601 SHA-1: aa6dd7fb12f6733e3acb1bdbc6b74a1b0cff7d47 SHA-256: 9854e12b39621e380a325b0c8c256ec492b72bab2cd01cafa41a078ba373a558
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure related to updating Garmin devices, which is a common tactic for social engineering. It embeds a large number of external links, indicating it is part of a link farm designed to distribute malicious content or SEO spam. The primary function appears to be redirecting users to potentially harmful external sites through these numerous links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oldkingpartners.com/uploads/1/3/1/3/131384374/131384374.html#update+garmin+foretrex+401
    • http://nharmonycastingandtalent.com/uploads/1/3/0/5/130538953/lozaxagup-mejiletojusosi-pusebejusel.pdf
    • http://katiescreativecorner.com/uploads/1/3/0/2/130288854/refazaziz_xagipuwivej_kejam.pdf
    • http://mail.actg.org/uploads/1/3/0/8/130874613/914742b14dc1b.pdf
    • http://allenparkpres.info/uploads/1/3/1/0/131071035/safofutuda.pdf
    • http://wafson.com/uploads/1/3/0/7/130775766/6325480.pdf
    • http://pinkpincushion.com/uploads/1/3/0/5/130540246/9700202.pdf
    • http://wildterania.com/uploads/1/3/0/5/130547215/durejudo-belubidapimu.pdf
    • http://bensafatherapy.com/uploads/1/3/1/4/131406695/vivixobobit.pdf
    • http://villa-page.com/uploads/1/3/0/4/130476396/ee702.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006683.bin
ca1fe62d50a48c866885083b49670ecd9f7885b812c2790b92e91b8d111512b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6683 8124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.