Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d3cc257e275a29f…

MALICIOUS

PDF

38.9 KB Created: 2020-04-07 09:42:00 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 94397606dfb5d1121411e36c9b31e8f4 SHA-1: 2e78ec4695375b2e1cd9c8eb3136c32350641014 SHA-256: 9d3cc257e275a29fa0f8db5424bea3a6e0f3aec929f2ae2fa8512f354f1a60bf
62 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Gather Victim Identity Information T1204 User Execution

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO manipulation tactic. The embedded document body text, though partially corrupted, includes a URL that mirrors one of the external links, reinforcing the idea that the document's primary purpose is to redirect users to these external resources. No scripts were extracted, limiting further analysis of potential malicious payloads.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jenntreado.com/uploads/1/3/0/5/130546538/130546538.html#practical+machine+learning+tutorial+with+python+intro+p.1
    • http://jennadmassage.com/uploads/1/3/1/1/131164479/tisobulub_lolenina_bufapabuduteref_borogunazole.pdf
    • http://bobodigitalmarketing.com/uploads/1/3/0/2/130287929/7701452.pdf
    • http://homefrontbuildershouston.com/uploads/1/3/1/4/131437173/vasunasavis.pdf
    • http://stargiftltd.com/uploads/1/3/0/8/130874160/11c1e0ecae4.pdf
    • http://wahoc.org/uploads/1/3/0/6/130639209/eef0ccdee4f.pdf
    • http://bjhmontgomery.com/uploads/1/3/0/4/130483155/kelalo.pdf
    • http://mountainmitteneer.com/uploads/1/3/1/0/131069750/paguwetas-rexubasewun-modonirawexipuz.pdf
    • http://northcountypawscause.org/uploads/1/3/0/7/130738996/wusakiratojikavawexo.pdf
    • http://arriverealty.net/uploads/1/3/1/3/131398128/2dbdeb.pdf
    • http://securesanitation.net/uploads/1/3/1/4/131453336/6ea6377446a67f9.pdf
    • http://perthfloors.com/uploads/1/3/0/9/130969937/e03857fd54a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f1e.bin
44b7e49aff40a0ab506e65f84e4bdf24a0ff160c9988420c0e3b80ab5a8b41cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F1E 8032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.