Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4ba372670b47f64…

MALICIOUS

PDF

44.7 KB Created: 2020-06-09 05:28:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 419bb7c6ba6c22393998bc1d09c1722b SHA-1: c3a20079fe75a37019d17da0bba45cdc9d91226b SHA-256: a4ba372670b47f643ec684b260e7542cf25296a972e5eb366c597a1e2a6e725f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body, though partially corrupted, includes text suggesting it's a 'workbook' and contains URLs that are likely part of a link farm or SEO spam operation. These links are designed to redirect users to potentially malicious or unwanted content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bahamasaugustllc.com/uploads/1/3/1/4/131410939/131410939.html#realidades+3+workbook+guided+practic
    • http://acaringtherapy.com/uploads/1/3/0/4/130435786/vositer-wodivefelozufap-jawotativok.pdf
    • http://bfssignallingassessments.com/uploads/1/3/0/7/130739150/3099074.pdf
    • http://dsjuiceco.com/uploads/1/3/0/7/130739919/koxobez.pdf
    • https://bupovewimu.files.wordpress.com/2020/06/1310612448.pdf
    • https://dotidizemixo.files.wordpress.com/2020/06/pukibegutobida.pdf
    • https://vurabin.files.wordpress.com/2020/06/32166297026.pdf
    • https://megewusebu.files.wordpress.com/2020/06/fegejezikovazodefivit.pdf
    • https://gipiwes.files.wordpress.com/2020/06/dunezoga.pdf
    • https://depivufegel.files.wordpress.com/2020/06/35303898546.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000694a.bin
bffa38f95a48c1f660805bcab7a7b8344639af63ad225b7bc2a299e94d22bc6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x694A 12420 bytes
font_01_sfnt_off00009204.bin
c988415812f594187b0a0ed75dc52802e798e1695b49bd300f8412a65040a449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9204 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.