PDF malware analysis — malicious · a6e7734b7d2964f9

MALICIOUS

PDF

72.8 KB Created: 2020-06-05 05:15:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 027c73b5198b9788b37a93e80ce01edb SHA-1: 82dc5e45aea9dc2470d8f9d7784ae1c0ec61e50b SHA-256: a6e7734b7d2964f9a541ff3a02e273c4204cb0d231389cfbcb5698d2323acf4a

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to domains that appear to be part of a link farm designed to host malicious content. The document body, though heavily obfuscated, contains references to URLs that are likely used to redirect users to these malicious sites. The presence of a 'link farm' heuristic and numerous unknown reputation URLs strongly suggests a malicious intent to drive traffic to potentially harmful content.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Urgency / deadline lure low SE_URGENCY_LURE

Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://xinquanxunwangxinbao2wangzhi.br3h.com/uploads/1/3/1/4/131407876/131407876.html#onigiri+leveling+guide
- http://helendear.org/uploads/1/3/1/4/131453950/11fa071c5e78476.pdf
- http://jwesleyward.com/uploads/1/3/1/8/131857631/5ebc4a0.pdf
- http://kvcllc.net/uploads/1/3/0/5/130551303/cc378ea3.pdf
- http://laughingpigtheatre.org/uploads/1/3/0/9/130969082/lufifud.pdf
- http://11thhourtravel.com/uploads/1/3/0/9/130969818/7006776.pdf
- http://eckelevents.com/uploads/1/3/1/4/131437421/tobugez-niteke-womiluninevase-mofowenikulu.pdf
- http://jabbathehuttbutt.com/uploads/1/3/1/4/131407802/zinozaxo.pdf
- http://lobecktaylor.org/uploads/1/3/0/6/130620581/9536226.pdf
- http://nishkarshcoaching.in/uploads/1/3/1/3/131383921/migodesunusil.pdf
- http://taylorbuiltga.com/uploads/1/3/0/4/130488851/2758369d1d3d8d2.pdf
- http://xinquanxunwangxinbao2wangzhi.br3h.com/uploads/1/3/1/4/131407876/terms.html
- http://xinquanxunwangxinbao2wangzhi.br3h.com/uploads/1/3/1/4/131407876/dmca.html
- http://xinquanxunwangxinbao2wangzhi.br3h.com/uploads/1/3/1/4/131407876/policy.html
- https://wigasoxela.files.wordpress.com/2020/06/dekapidixarekamuzer.pdf
- https://tupuxuw.files.wordpress.com/2020/06/lewib.pdf
- https://moniliwi.files.wordpress.com/2020/06/30978987493.pdf
- https://sanolosu.files.wordpress.com/2020/06/xijog.pdf
- https://difimedo.files.wordpress.com/2020/06/89541573321.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000985c.bin` `08e30d282ff4cc556d0aa7da12e83aaaa7d7d29919cca5aa020b2137305fbc9a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x985C	21252 bytes
`font_01_sfnt_off0000db1a.bin` `e1bfea61019dffcba586b1bafb8b3a86afcedf39520068850945b968346c3451`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xDB1A	11136 bytes
`font_02_sfnt_off0001015c.bin` `29a60492f44b39d68fa00197234d6df9a0cf581d74754725da64c153577ac146`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1015C	16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.