Malicious PDF — malware analysis report

Static analysis result for SHA-256 9936488a4e8d1303…

MALICIOUS

PDF

39.9 KB Created: 2020-03-29 22:38:45 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 46f219270e0e2e40e9f859be5421ccd3 SHA-1: 691218879c4000847757f1d3a61485e661b9f3f4 SHA-256: 9936488a4e8d130300ced49837013b2322a3d0354661c13ff6f965f8dd0cf33c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or distribution network. The primary URL extracted, http://hotelvic-phase2-ja.devsite-1.com/uploads/1/3/0/8/130874001/130874001.html#superficie+corporal+pediatria+calculadora, also leads to a similar structure. The document body text is largely unreadable due to encoding issues but contains fragments of the primary URL and mentions a 'calculadora', possibly a lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hotelvic-phase2-ja.devsite-1.com/uploads/1/3/0/8/130874001/130874001.html#superficie+corporal+pediatria+calculadora
    • http://tracyhouser00.com/uploads/1/3/0/7/130739363/382b9f.pdf
    • http://lancersonline.com/uploads/1/3/0/5/130588956/43ce55.pdf
    • http://privatebartenderneworleans.com/uploads/1/3/0/6/130620168/f2c02b.pdf
    • http://gulfstreamspirits.com/uploads/1/3/0/2/130288465/82806.pdf
    • http://madelinekingkneeland.com/uploads/1/3/0/3/130323818/85489c78103cb.pdf
    • http://thespinningshed.com/uploads/1/3/0/6/130621176/lipakadivep-tavotaxawero-vokej.pdf
    • http://mainia.ca/uploads/1/3/0/7/130739663/6036245.pdf
    • http://supersonicsoundsrecords.com/uploads/1/3/0/7/130775199/velog.pdf
    • http://buraaqthemovie.com/uploads/1/3/0/9/130969679/jetiz.pdf
    • http://thebrazilianblowoutbar.com/uploads/1/3/0/2/130288661/jexib.pdf
    • http://dapcploxy.org/uploads/1/3/0/9/130969847/jozelewepog.pdf
    • http://serenityseniorliving.org/uploads/1/3/0/9/130968967/9c9d99.pdf
    • http://vbsstructures.com/uploads/1/3/0/2/130272571/7486485.pdf
    • http://ameezing-eindhoven.nl/uploads/1/3/0/4/130476563/ea7a37c01704c5.pdf
    • http://rejuveclinica.com/uploads/1/3/0/6/130604375/8500482.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e78.bin
72a3a0ce2bc37858de7c45f0311a17de52e43df066ba281bd6c592eee736d52f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E78 8228 bytes
font_01_sfnt_off00007cb0.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CB0 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.