Malicious PDF — malware analysis report

Static analysis result for SHA-256 a90e878fbd2300d8…

MALICIOUS

PDF

32.1 KB Created: 2020-06-09 23:26:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 927661bc3015c993085750e0467b8b97 SHA-1: 11744cc815627c305b28aac3c5cdeada2396da2c SHA-256: a90e878fbd2300d84b0ea50ece586dee7d3601aa99ca419c6e17294947cb868c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, with numerous embedded external URLs pointing to various domains. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating a high likelihood that these links are intended to lead users to malicious content or phishing sites. The document body contains garbled text but also includes some of the URLs, reinforcing the link-based attack vector. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mail.crushthemarket.com/uploads/1/3/0/2/130289189/130289189.html#chemal+gegg+girls
    • http://ate02.ovmakeup.com/uploads/1/3/0/2/130270941/f634088be.pdf
    • http://netroyalties.com/uploads/1/3/0/8/130814871/bonakij.pdf
    • http://kiju-nature.com/uploads/1/3/1/0/131071286/ramofopevamoxa-suropesiwo-fobomafoxa-gorifawuni.pdf
    • http://mx.smuddlaw.com/uploads/1/3/1/4/131455722/lefil.pdf
    • http://392.undesirable.us/uploads/1/3/0/2/130289369/d0ee5baaca.pdf
    • https://wapisamuvubu.files.wordpress.com/2020/06/gizeluxukuwizivib.pdf
    • https://korovitezu.files.wordpress.com/2020/06/95820893025.pdf
    • https://zimixukegor.files.wordpress.com/2020/06/nufuwinivekosotadifebana.pdf
    • https://tusivedugex.files.wordpress.com/2020/06/33843523463.pdf
    • https://dozinakisaj.files.wordpress.com/2020/06/benonametalowaw.pdf
    • https://tofogaba.files.wordpress.com/2020/06/dodaduvuro.pdf
    • https://lesisigedive.files.wordpress.com/2020/06/67406849025.pdf
    • https://simovojeb629202265.files.wordpress.com/2020/06/59111969930.pdf
    • https://daborexawuv.files.wordpress.com/2020/06/togonagowiwikosez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005272.bin
65a72cbf360238e8a7de35193eb1fb894304631625514ba04c822185a7a0dbce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5272 10592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.