Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ad4c434455187e2…

MALICIOUS

PDF

43.2 KB Created: 2020-03-23 11:42:20 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: feae4083d50631f13617f352609c76a5 SHA-1: eb3cbba91bbba6f235c520c9fe5f4462ad810820 SHA-256: 9ad4c434455187e243bb48112a903bb9e1a7dbf6165157dc6b2f0ffdebb40b60
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The document body itself is heavily obfuscated and contains embedded URLs, reinforcing the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rmdrainageandplumbingltd.com/uploads/1/3/0/5/130588769/130588769.html#ar+600-8-11+pdf
    • http://hotellable.com/uploads/1/3/0/2/130270923/wojano-fafikolo-wumidovefefobi.pdf
    • http://43highst1.com/uploads/1/3/0/5/130551727/2751141.pdf
    • http://ritameher.com/uploads/1/3/0/8/130874320/detesizi.pdf
    • http://brentdiggs.info/uploads/1/3/0/6/130639296/0b43b02ee179a1.pdf
    • http://lena-lennrot-fitness.com/uploads/1/3/0/5/130540026/zixoweje.pdf
    • http://sidewalklegal.com/uploads/1/3/0/7/130775269/soladotaputol_moneluledemeni_tutibuxedaluka.pdf
    • http://mx.uppainters.com/uploads/1/3/0/2/130289308/kofapilujikibulilid.pdf
    • http://coloryourlifehealth.com/uploads/1/3/0/3/130323151/2c84427b.pdf
    • http://californiandeli.org/uploads/1/3/0/6/130639750/eacf5.pdf
    • http://dinosgrilledburger.com/uploads/1/3/0/4/130483872/ce85e3e8a4460.pdf
    • http://sammykphotography.com/uploads/1/3/0/4/130483187/c5e0b2b08c541.pdf
    • http://ivfamerica.com/uploads/1/3/0/5/130539179/9254757.pdf
    • http://mail.fullmoonhealingarts.com/uploads/1/3/0/4/130490643/babiwusupazalug-fitasokom.pdf
    • http://www.batterypro1.com/uploads/1/3/0/8/130874333/b08c6ff1caa4096.pdf
    • http://maison-ancestrale-beloeil.com/uploads/1/3/0/6/130620689/4685512.pdf
    • http://ogsglobalmg.com/uploads/1/3/0/8/130813779/sukamitumo_xewezekisoxev_bagoja.pdf
    • http://mail.inspiredonlinesites.com/uploads/1/3/0/7/130738881/c57b6.pdf
    • http://thefieldofpossibilities.com/uploads/1/3/0/7/130776525/bimulifipa_renisuw_demovimi.pdf
    • http://www.kamcustoms.com/uploads/1/3/0/6/130603977/zigojuxe-subazadub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008114.bin
ab200e82890222d39c304b71813503613699f58806423746cb6f86c5ae990fed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8114 7864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.