Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fb61db2a005b612…

MALICIOUS

PDF

39.4 KB Created: 2020-04-07 11:59:27 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 937155e1a75478cc4ea1f1b895d9175a SHA-1: bcbffaa227bf5ce97e8f172bde460b692bd37750 SHA-256: 9fb61db2a005b61250770890337d85c57c8583a6346244721b21f995d4904242
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links to other PDF documents hosted on various domains. The heuristic 'PDF_SEO_LINK_FARM' indicates this is a link farm, suggesting the primary purpose is to drive traffic to these external sites. The document body contains a Spanish phrase related to abbreviations, which may be a lure, and an embedded URL pointing to a similar HTML page. No scripts were extracted, and the primary malicious activity appears to be the distribution of links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://carlosdia.com/uploads/1/3/0/2/130289541/130289541.html#como+se+abrevia+quimico+biologo+parasitologo
    • http://aikidocenterofathens.com/uploads/1/3/0/8/130814122/33c332f1e33.pdf
    • http://strategicimpactconsulting.net/uploads/1/3/0/6/130604188/5384606.pdf
    • http://e2biopharma.com/uploads/1/3/0/6/130620962/21cb1baa5ed76f2.pdf
    • http://nwintegrativeprimarycare.com/uploads/1/3/0/2/130288757/4281936.pdf
    • http://nhcohousing.org/uploads/1/3/0/4/130478057/c4a1cc0325.pdf
    • http://rolloffdumpsterrentalsanantonio.com/uploads/1/3/0/3/130313358/1971bb51.pdf
    • http://littlethatch.net/uploads/1/3/1/4/131412362/ef6c994f355d1.pdf
    • http://schulemengestorf.ch/uploads/1/3/0/2/130271067/vosixupumugokezide.pdf
    • http://clevelandprintworks.com/uploads/1/3/0/6/130640053/4764492.pdf
    • http://chupacandelabra.com/uploads/1/3/0/7/130775821/zakuwured.pdf
    • http://mcleanslaw.net/uploads/1/3/0/6/130639906/napiniporejusep-mupowi-sedetevok.pdf
    • http://angelsresourcecenter.org/uploads/1/3/0/8/130874248/f45b6.pdf
    • http://walkertrailerequipment.com/uploads/1/3/0/2/130289453/pixurotof.pdf
    • http://thenautilusproject.info/uploads/1/3/0/2/130287283/e9de2b93d65.pdf
    • http://bronzebyswacy.com/uploads/1/3/0/4/130478009/zileduna.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007167.bin
aa1995c8e93aa2d200f1e90a23c5ca2ba4d48965358f19d67590268e8e7a7160		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7167 8500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.