Malicious PDF — malware analysis report

Static analysis result for SHA-256 af1c307931acf81a…

MALICIOUS

PDF

52.2 KB Created: 2020-04-01 13:06:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: fe38cc92954acf36e5047227ce46ea42 SHA-1: b6c248556bea30f6e832f8579ce072eecae5f0cd SHA-256: af1c307931acf81a7a6523fed93938ace035265fe1094e6fb773e42337ad8c88
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF document contains a large number of external links, many of which point to other PDF files hosted on various domains. This suggests a link farm or SEO poisoning tactic designed to attract users searching for specific content, such as "problems of philosophy pdf download". The primary URL identified is http://brakeactive.com/uploads/1/3/0/7/130775489/130775489.html#problems+of+philosophy+pdf+download, which is likely part of this scheme to redirect users to malicious resources.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://brakeactive.com/uploads/1/3/0/7/130775489/130775489.html#problems+of+philosophy+pdf+download
    • http://coastlinecomputercare.com/uploads/1/3/0/6/130640162/dalutuxuduse-fudadodapasa-zuwozu.pdf
    • http://innovasjonshuset.com/uploads/1/3/0/5/130588270/8176387798f1.pdf
    • http://kdcommercial.org/uploads/1/3/0/7/130740244/9f8a0c8e94904.pdf
    • http://greenwolfverticalfarm.com/uploads/1/3/0/9/130969423/5bb90.pdf
    • http://krfitness.net/uploads/1/3/1/4/131409463/6710287.pdf
    • http://codeasean.com/uploads/1/3/0/6/130639873/farevuwikum-fenuver.pdf
    • http://hirstandcompany.com/uploads/1/3/0/3/130323401/fitaxonetexog.pdf
    • http://ijustswim.com/uploads/1/3/0/4/130435746/tunofizosisom.pdf
    • http://lauradonnellylifestyle.com/uploads/1/3/0/7/130739156/a666b5af.pdf
    • http://iparadiset.com/uploads/1/3/0/2/130271067/1972331.pdf
    • http://pamelaschneider.com/uploads/1/3/0/6/130604449/f14c563.pdf
    • http://to2concretosyacabados.com/uploads/1/3/0/8/130814788/9797522.pdf
    • http://sledpainter.com/uploads/1/3/0/2/130287278/101582.pdf
    • http://naturevisionkorea.com/uploads/1/3/0/7/130739072/nunuk_tarejuxuni_kenumo.pdf
    • http://bolderlegal.com/uploads/1/3/0/7/130739631/dafadeji.pdf
    • http://blendnutritionco.com/uploads/1/3/0/4/130436339/e08c0.pdf
    • http://amyvan.com/uploads/1/3/0/5/130588928/6a8b2ed.pdf
    • http://morrisoncohentherapy.com/uploads/1/3/1/3/131384359/vubesoxo.pdf
    • http://toursofcalifornia.com/uploads/1/3/0/4/130488743/dexosagup_dezipedafubam_newexiwe.pdf
    • http://simplyinspiredwords.com/uploads/1/3/1/1/131163693/ea165.pdf
    • http://aronson.info/uploads/1/3/1/0/131071231/5300c53.pdf
    • http://thepaperworkstudio.com/uploads/1/3/0/7/130776304/zufulodomixut-fuxanapevej-babomivinu-bepitemefixuzaf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a2d0.bin
f52db340cc98e4c87cb275c41e9067ee56f255230002f64bbadd3d1bf2f13101		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2D0 8704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.