Malicious PDF — malware analysis report

Static analysis result for SHA-256 a49a6f1992b7beca…

MALICIOUS

PDF

36.7 KB Created: 2020-05-17 20:11:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4da9ecd901f3eedc4a8354eb408a8ce1 SHA-1: d53ebf28d77913ff33c3c764e512d6b75fd4bd1e SHA-256: a49a6f1992b7beca8ca72b6e9ea46254fa0ac970cccbe884322bdbef82458e48
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique commonly used for SEO spam or to direct users to malicious content. The document body itself is largely unreadable, but the presence of numerous URLs pointing to other PDF files suggests a link farm or redirection scheme. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://customerinsightsgroup.com/uploads/1/3/0/5/130588688/130588688.html#ar+rahman+biography+pdf
    • http://ginandtarnish.com/uploads/1/3/0/5/130588506/zokokifinajirenadu.pdf
    • http://convertiblepooltables.com/uploads/1/3/1/4/131409926/4927873.pdf
    • http://jennyperillo.com/uploads/1/3/1/4/131406799/92893a6a05c5492.pdf
    • http://itectp2018.com/uploads/1/3/1/4/131407742/vodabaruwazug.pdf
    • http://nelastyles.net/uploads/1/3/0/5/130589442/c8440148013df6.pdf
    • http://everyonecook.org/uploads/1/3/0/6/130620584/2938203.pdf
    • http://touzer.com/uploads/1/3/0/5/130590499/vipozemijazona_lanumejob_zovosabo.pdf
    • http://premier3dprinting.com/uploads/1/3/1/4/131452917/29fa0e04d.pdf
    • http://mindyourbs.com/uploads/1/3/0/3/130324320/80e73c782749.pdf
    • http://nhvfd18.org/uploads/1/3/0/3/130313333/folanam_lewuwetuf.pdf
    • http://smartflatfeelisting.com/uploads/1/3/1/4/131438758/gerumiva-tuvumeve-buritumuji-lufuf.pdf
    • http://westforksupply.com/uploads/1/3/0/7/130775918/3512322.pdf
    • http://stclaircleaners.com/uploads/1/3/1/3/131380755/finatul.pdf
    • http://longdistancecouple.com/uploads/1/3/0/8/130873867/5452968.pdf
    • http://sovereignglobalaccountants.com/uploads/1/3/1/3/131379182/704548.pdf
    • http://iwavs.com/uploads/1/3/0/3/130323232/bobegumuva.pdf
    • http://f2photos.net/uploads/1/3/0/7/130776147/bemumuzo.pdf
    • http://roucekpartners.com/uploads/1/3/0/7/130775461/vatogiva_tinuwobisunet_refigov.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000647e.bin
bda78b79759dfee0e959955479a2d38fb13ccc6201a8e6428a6e60d9a0901329		 pdf-font-stream PDF embedded font (sfnt) at offset 0x647E 10160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.