Malicious PDF — malware analysis report

Static analysis result for SHA-256 af7b62f745260a06…

MALICIOUS

PDF

35.1 KB Created: 2020-05-17 01:22:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 11cb4fc4f57e571e8299cba6b521e8fc SHA-1: 8f1bf020165fa88b4a290eb84daa8b2aef7102f8 SHA-256: af7b62f745260a068be92119140daa699b07e17c614e101a1bd162fbd536b942
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, indicating a likely attempt to distribute malware or phish for credentials. No scripts were extracted, but the sheer volume of links suggests a high probability of malicious intent.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bmajorevents.net/uploads/1/3/0/8/130874358/130874358.html#all+bhajan++djpunjab
    • http://badasscoinrings.net/uploads/1/3/1/4/131437208/sokupaloluw.pdf
    • http://sfpbfun.com/uploads/1/3/1/6/131606875/8600496.pdf
    • http://asharperimage.ca/uploads/1/3/1/3/131379740/muzalivix-dokegu-ponibixok-baxiwifula.pdf
    • http://distinctivehandyman.com/uploads/1/3/0/6/130604667/700649abe139.pdf
    • http://line-daily.com/uploads/1/3/1/4/131482823/jagozotewuxogowiga.pdf
    • http://outex.lv/uploads/1/3/0/7/130739087/rabiloxekopubiwu.pdf
    • http://jinhui-mechanics.com/uploads/1/3/0/9/130969481/04540b.pdf
    • http://ragalat.com/uploads/1/3/1/6/131637143/negatizawafired.pdf
    • http://fortheloveoffashion.blog/uploads/1/3/0/8/130873914/670778.pdf
    • http://therealmollyanderson.com/uploads/1/3/0/5/130547418/sasaxoduban.pdf
    • http://berrycutenails.com/uploads/1/3/0/7/130775551/6361678.pdf
    • http://alecbannon.com/uploads/1/3/0/6/130604820/4370360.pdf
    • http://lilafy.com/uploads/1/3/1/8/131856584/vorilad.pdf
    • http://originalacquisitions.com/uploads/1/3/0/4/130489131/914ebf25d26b.pdf
    • http://spiritofhopeathomenursing.com/uploads/1/3/0/9/130969214/36d9269ba.pdf
    • http://kelseymmontgomery.com/uploads/1/3/0/4/130483364/1834997.pdf
    • http://buyersmarketnetwork.com/uploads/1/3/1/6/131636727/1c6d2bebbb71b57.pdf
    • http://friendshipbaptistcarthage.com/uploads/1/3/0/6/130604402/zomat_vadus_vekenoje_bifebaz.pdf
    • http://awakeningtogetherglobally.com/uploads/1/3/0/6/130639197/pifisaselujegovi.pdf
    • http://stuccovenetiano.com/uploads/1/3/1/6/131636983/dofalegige_dopuvuwogo_busugox_baravul.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e6a.bin
d6374b711569df94ccdc1ba6acd0b06e3481172d7ff828d19a0a1991be2f6037		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E6A 10244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.