PDF malware analysis — malicious · b03ede64f73818d2

MALICIOUS

PDF

37.4 KB Created: 2020-03-29 04:38:00 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 8ff86ecf27d018fd8236f5ae1a756f8f SHA-1: 9302dcfca30042b5468b895e8df2fe8ef1f7c821 SHA-256: b03ede64f73818d2742b006a928d8a8382ea37cb04615db79ece12f59b63c526

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a launch action that directs the user to an external URL, disguised with content related to coloring pages. It also exhibits a PDF SEO link farm pattern, embedding numerous external links to other PDF files. This suggests a campaign focused on driving traffic or distributing further malicious content through a network of compromised or controlled domains.

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Launch action high PDF_LAUNCH

PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION

PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://74-123-75-235.mgwnet.com/uploads/1/3/0/7/130775628/130775628.html#imagenes+de+letras+para+colorear
- http://buildingbiodiversity.club/uploads/1/3/0/4/130489185/jekiruke.pdf
- http://randomlyincoherent.com/uploads/1/3/0/5/130551129/9f794caa.pdf
- http://mesorasyisrael.org/uploads/1/3/0/7/130738863/soraj_puloxowovasobej.pdf
- http://lloydlindseyproperty.com/uploads/1/3/0/4/130475980/f381de7e.pdf
- http://www.litnerdcurriculum.com/uploads/1/3/0/7/130739510/5192152.pdf
- http://torontorealestateconsultants.com/uploads/1/3/0/9/130969588/manune.pdf
- http://macksnack.com/uploads/1/3/0/5/130550769/verujagonitil-jodebizo.pdf
- http://meetonhorn.com/uploads/1/3/0/2/130288600/2a1d23deeb4a8.pdf
- http://instituteforpolicecoaching.com/uploads/1/3/1/1/131164174/3fceb0b7c5e01f3.pdf
- http://commonwealth-designs.com/uploads/1/3/0/6/130639115/lagex_devanefoxozew.pdf
- http://mta-sts.mail.hwy24.org/uploads/1/3/0/5/130550847/poruwev.pdf
- http://dallascoco.com/uploads/1/3/0/2/130291544/8323828.pdf
- http://fullcircledentalllc.com/uploads/1/3/0/4/130436127/dexiv.pdf
- http://launch-baby.com/uploads/1/3/0/8/130874222/tusuxidolob_nivijeke.pdf
- http://artfarmgraphics.com/uploads/1/3/0/5/130589050/pebefetafo_linepizaxujez_litizoseb.pdf
- http://stacysfoundation.org/uploads/1/3/0/7/130775102/fed7959e.pdf
- http://amandajeanereichert.com/uploads/1/3/0/5/130541346/4981324.pdf
- http://cpanel.ngabwe.com/uploads/1/3/0/5/130550926/8935271.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b9c.bin` `f1a517bfbc3696034906f8bbfa8b06d6dcc2f06ea92bbcb107fe8fe21ec86945`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B9C	7744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.