Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0c50a297898dddd…

MALICIOUS

PDF

55.4 KB Created: 2020-03-30 13:47:14 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 80c606121b0ed9add0d18304a39b0341 SHA-1: b32a6bb3ee2b31521129b027fee647a88a621080 SHA-256: a0c50a297898dddd977ce8027e230beec3906da7aadbdaf67cbe9c717a388b98
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to similarly structured URLs on different domains. The document body, though partially corrupted, suggests a lure related to 'creative timeline ideas'. The primary heuristic indicates a PDF link farm, suggesting the document's purpose is to redirect users to a network of potentially malicious websites. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wcd-qnv77h4.mgh-r.ch/uploads/1/3/1/4/131407365/131407365.html#ideas+de+como+hacer+una+linea+del+tiempo+creativa
    • http://empireinterpreting.net/uploads/1/3/0/3/130324440/jibujezeluxebovoke.pdf
    • http://deviantimpressions.com/uploads/1/3/0/4/130489742/kuzexer-birum-dafebu.pdf
    • http://novaimmobilien.eu/uploads/1/3/0/8/130814355/bodufofemexi.pdf
    • http://losachicboutique.ca/uploads/1/3/1/1/131164180/4760327.pdf
    • http://atlantaenforma.com/uploads/1/3/0/2/130270921/2352619.pdf
    • http://bobospa.org/uploads/1/3/0/6/130604552/3371632.pdf
    • http://bnppriskrfp-capgemini.com/uploads/1/3/0/8/130874237/devezenil_ravifikaxaxuve_wuxabu.pdf
    • http://savingdogsdaily.org/uploads/1/3/0/5/130551654/buzavewujuselu_kobigipoxedeb_riworizofuwozul.pdf
    • http://goddessglambeautysupply.com/uploads/1/3/0/6/130620234/1696057.pdf
    • http://northlandprojects.com/uploads/1/3/0/8/130813692/6169856.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000adc0.bin
b39eb11410ceb34c18b217ae1faa669e8a768110d9fc1d2e5e5ad91993623aa2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADC0 9020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.