PDF malware analysis — malicious · 9b313a9404edd5a3

MALICIOUS

PDF

45.4 KB Created: 2020-03-24 10:26:54 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 3c78f8ec188d00d1aeb04fec851beeb9 SHA-1: 9f09e6ec2696e0d3b63ceb9afc7c5fa2a973ccaa SHA-256: 9b313a9404edd5a349840d4b3f66770f09f98ee9ab8ba3630d2b4e90bb66a0e4

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body contains text related to a magnetic loop antenna, but this appears to be a lure. The primary function seems to be directing users to a network of websites, likely for SEO manipulation or to serve further malicious content. No scripts were extracted from this sample.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://chiesaevangelicapeniel.org/uploads/1/3/0/7/130738762/130738762.html#mfj-1786+magnetic+loop+antenna
- http://snappornity.com/uploads/1/3/0/5/130551728/c18b9f59a920.pdf
- http://www.branchtobud.com/uploads/1/3/0/5/130550724/tonadiwovunemev.pdf
- http://www.jimmiefbennet.com/uploads/1/3/0/7/130739817/ebae9a8323.pdf
- http://onbecomingesther.com/uploads/1/3/0/5/130545434/6346921.pdf
- http://hellogorgeousky.com/uploads/1/3/0/4/130483614/6393003.pdf
- http://joechapmansquash.com/uploads/1/3/0/4/130488163/29f58.pdf
- http://ccwfweb.com/uploads/1/3/0/5/130589058/3f3b6af.pdf
- http://ts4hire.com/uploads/1/3/0/7/130738751/8470483.pdf
- http://janecallen.com/uploads/1/3/1/0/131070888/f310b1e789df0ad.pdf
- http://sddenradwhoz.ibew23.org/uploads/1/3/0/7/130776823/59ba547.pdf
- http://colour-coatings.com/uploads/1/3/0/5/130542972/vudaziriwuxi_gulexulow_movosewoxu.pdf
- http://mwvhc-nh.org/uploads/1/3/0/6/130622063/58c063644147474.pdf
- http://bayareaindustrialland.com/uploads/1/3/0/2/130291545/womigase.pdf
- http://nidustheatrearts.co.uk/uploads/1/3/0/5/130588618/4025229.pdf
- http://usagaslogs.com/uploads/1/3/0/6/130620576/db09d406a5.pdf
- http://onlinesecuritysolutions.ca/uploads/1/3/0/6/130621149/5544dbc3dcf43.pdf
- http://goodiegirlsandbiglittleboys.com/uploads/1/3/0/2/130289315/jukalasusogemud.pdf
- http://pestisorulauriu.com/uploads/1/3/0/5/130542972/6455856.pdf
- http://gorillabackpro.com/uploads/1/3/0/8/130813770/60797514c5c4118.pdf
- http://www.naturals4u.net/uploads/1/3/0/8/130814195/xojunewub-sasinin-xalojoz-dubivadul.pdf
- http://webmail.danaleipold.com/uploads/1/3/0/5/130541597/roduje-dijodalomitupof-bikafixorulaw-tozedezux.pdf
- http://lizabethblackwellonline.com/uploads/1/3/0/4/130491850/9b196eb076c4.pdf
- http://souwestglass.com/uploads/1/3/0/5/130588270/c81b91ca.pdf
- http://admin.synergeticmedia.uk/uploads/1/3/0/6/130620626/edbbe6942.pdf
- http://mta-sts.quackquackcolorado.com/uploads/1/3/0/2/130288926/rokalojuduluvugal.pdf
- http://admin.synergeticmedia.uk/uploads/1/3/0
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000089fc.bin` `405674a5b45f0cceb6929a6b4ea1fca92aeba2d045681ef48977154e15312349`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x89FC	7680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.