PDF malware analysis — malicious · 9ab7b11d792f6e82

MALICIOUS

PDF

52.9 KB Created: 2020-03-25 10:43:19 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 40d74bcf7f7a4a5d53a30c4867315bc1 SHA-1: 6c176fb22fb5bdc3981b3a7dbbd0f06a379593a0 SHA-256: 9ab7b11d792f6e82236e3242a5316eb02d8fa3bd3e18fb7947d0ba471ea786e8

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a common tactic for SEO spam or to redirect users to malicious sites. The document body text, though partially corrupted, includes a URL that appears to be a lure for song downloads. No scripts were extracted from this sample, limiting the ability to determine further payload delivery or persistence mechanisms. The primary attack vector appears to be social engineering through link manipulation.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://fredheatingac.com/uploads/1/3/0/7/130738803/130738803.html#descargar+la+canci%C3%B3n+de+espinoza+paz+tomando+ando
- http://homespryte.com/uploads/1/3/0/9/130969019/8021136.pdf
- http://watersportsinkorea.com/uploads/1/3/0/7/130738576/larezomozipuxe.pdf
- http://russianair.com/uploads/1/3/0/5/130590456/xafolututorovof-gofirilimolu-kofike-lupesifejusujak.pdf
- http://eastpacificmarine.com/uploads/1/3/0/3/130323421/f47942.pdf
- http://yourwritewritingservice.us/uploads/1/3/0/7/130775531/nudosegarete.pdf
- http://afreshcoat.org/uploads/1/3/0/7/130776046/7024239.pdf
- http://notaiobrunzo.it/uploads/1/3/0/6/130604656/69c65.pdf
- http://www.zotoyi.net/uploads/1/3/1/1/131163879/2102757.pdf
- http://mrnicklawrence.com/uploads/1/3/0/4/130488968/biwuj-riwovubofode.pdf
- http://flynntodd.blog/uploads/1/3/0/5/130590158/619aac5ecc58.pdf
- http://casaarmonia.net/uploads/1/3/0/5/130550885/wobimupuxivezej-fevowigeta-finak.pdf
- http://astrologyandcrystallighttherapy.com/uploads/1/3/0/4/130435947/7303775.pdf
- http://thomasemyers.com/uploads/1/3/0/4/130489248/derekavuj.pdf
- http://mta-sts.mx.janewman.com/uploads/1/3/0/5/130539660/6708ae353a3.pdf
- http://casualcardtable.com/uploads/1/3/0/6/130639074/0fdbf14a63d02.pdf
- http://spigotscience.com/uploads/1/3/0/6/130603980/zesogubajogimiw.pdf
- http://mta-sts.mail.lhaconsult.com/uploads/1/3/0/5/130541221/jirixokukojasuri.pdf
- http://rebeccahelm.org/uploads/1/3/0/7/130740596/xulebogowudesor.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000072e8.bin` `e3b2584b4710d3dc1b448d23c9c981fb277383e02bdc5639cfe48ae164eb7c20`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x72E8	9584 bytes
`font_01_sfnt_off000094d1.bin` `1610adf967ed1c60e664a9da54417e8b6db48f75c20afc41eebab2aa002651fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x94D1	4492 bytes
`font_02_sfnt_off0000a31a.bin` `f9e6f3331e0d75428486aaaa038a43d9187e1298879152bd13b55cd3313a641e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA31A	2896 bytes
`font_03_sfnt_off0000ad71.bin` `779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAD71	16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.