Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5a879578e6661f8…

MALICIOUS

PDF

41.1 KB Created: 2020-03-23 07:27:43 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 628f0143283dbb2ffa4f078acbf0b9b8 SHA-1: 1c8dfc5ebffb33a9faa5ec3835da3e0d6f88ce2f SHA-256: a5a879578e6661f8a66b8a54b9bf23ee0634565bc4bc8f2c83d69f07e8d458d4
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though partially corrupted, contains a URL that points to an HTML file, and the heuristic firings indicate a mass of external PDF links. This suggests the primary purpose is to act as a link farm, potentially for SEO manipulation or to distribute further malicious content via the linked PDFs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://marilusdesigns.com/uploads/1/3/0/5/130542769/130542769.html#monicion+de+entrada+boda+original
    • http://annasparklebox.com/uploads/1/3/0/7/130776791/ziwofujakif-toxetawodofapep-mapejokigobupa-gimovem.pdf
    • http://patrickjbryan.com/uploads/1/3/0/4/130435701/18f0269081833.pdf
    • http://andrewjones.io/uploads/1/3/0/4/130435649/4151813.pdf
    • http://elizabethalderfer.com/uploads/1/3/0/3/130379711/f80fee85b224.pdf
    • http://www.cdouglasimages.net/uploads/1/3/0/5/130543995/75ac7.pdf
    • http://undernolaws.com/uploads/1/3/0/5/130543158/bunelotujidilosum.pdf
    • http://juansosairrigation.net/uploads/1/3/0/5/130588606/aa4b9.pdf
    • http://hhdsclassof09.com/uploads/1/3/0/6/130620280/jojosa.pdf
    • http://meneerverschuren.nl/uploads/1/3/0/4/130483587/eff46f2.pdf
    • http://bodymadefit.com/uploads/1/3/0/5/130551015/luvali-jenupop.pdf
    • http://www.nikaspaus.com/uploads/1/3/0/7/130776720/zirira.pdf
    • http://www.gloverupdate.com/uploads/1/3/0/2/130288562/1c9f929585ed51.pdf
    • http://mydrygiene.com/uploads/1/3/0/4/130489253/zazusumonife.pdf
    • http://riverfallsbaseball.com/uploads/1/3/0/7/130738874/xudomamavad-legufozuvaga-taganesepo.pdf
    • http://karolinalankocz.com/uploads/1/3/0/6/130639291/7832541.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000749f.bin
4b1e23c6747632642b2567749f76a9f2068b78894ef56b9d0943ec0a96650220		 pdf-font-stream PDF embedded font (sfnt) at offset 0x749F 9416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.