Malicious PDF — malware analysis report

Static analysis result for SHA-256 987f71a0df9e5084…

MALICIOUS

PDF

38.1 KB Created: 2020-04-02 03:02:54 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 497643fa15f9da7b82d2934fbf97f8f8 SHA-1: 22f3d9311e17452fdc7cf08fd757959b0fb53faf SHA-256: 987f71a0df9e5084c80f78837a60b822a8aaaed10572037ea773663b13f586aa
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, indicating a likely attempt to drive traffic to a network of related domains. No scripts were extracted, and the document body is largely unreadable, but the presence of numerous external links strongly suggests a malicious intent related to web traffic redirection or content delivery.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://youbrewchicago.com/uploads/1/3/0/4/130483869/130483869.html#ejemplos+de+metatesis+reciproca
    • http://lonestarrealestateschool.com/uploads/1/3/0/4/130436399/e0a5fe41b.pdf
    • http://showready.info/uploads/1/3/0/6/130639936/rifafopabigubimisif.pdf
    • http://harnischart.com/uploads/1/3/0/5/130544090/zegujukop_tosikaruzakodag_dagesiroz_fukax.pdf
    • http://victoriagernertdott.com/uploads/1/3/0/4/130483542/numemogupaxo.pdf
    • http://introtothegoodlife.com/uploads/1/3/0/8/130813428/vipexu_malam_zesus_fexaref.pdf
    • http://maislimpeza.com/uploads/1/3/1/3/131383586/vulemi.pdf
    • http://bowsforpros.com/uploads/1/3/1/3/131384017/volozemovoz.pdf
    • http://grupoleyan.com/uploads/1/3/0/7/130738593/bfe7c60.pdf
    • http://harlowridgefarm.com/uploads/1/3/0/2/130288630/wimogaxalev.pdf
    • http://heerlijkharen.nl/uploads/1/3/0/6/130621524/4f922874.pdf
    • http://truemedtecnologiaemsaude.com/uploads/1/3/0/4/130435601/mowojabode-jilubopa.pdf
    • http://skycoinfiber.com/uploads/1/3/1/0/131070336/vofige_zebiroja_fometuli_ribopep.pdf
    • http://insightmusicstudio.com/uploads/1/3/0/2/130289703/6812024.pdf
    • http://allabouthenry.com/uploads/1/3/0/9/130969448/3450016.pdf
    • http://macauleyconstruction.com/uploads/1/3/0/7/130739944/ad25a7.pdf
    • http://whatshottaccessories.com/uploads/1/3/0/6/130621552/4654064.pdf
    • http://portal.paymentsmd.com/uploads/1/3/0/8/130874122/jufigopukisu_bemorenikituvuw_lefilib_sovivevever.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b9f.bin
bdbe20cd0e714c594e22015d42c868da47b22988f23d56014f9d25f88d848437		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B9F 8168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.