Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1f28f705b1f444e…

MALICIOUS

PDF

33.1 KB Created: 2020-06-03 13:08:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ff4d6b5d2b39ec08259b9d0dd0bc2f1b SHA-1: d00aec3c02695785e6e499f18dc78c8cece938e3 SHA-256: b1f28f705b1f444efb8ea402e645301ee3cdf87659a4e4f37e1ad489b2a1aa70
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body text, though partially corrupted, suggests a lure related to a '1997 polaris xplorer 500 owners manu'. The primary purpose appears to be directing users to a network of websites, likely for SEO manipulation or to host further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hanvengrove.com/uploads/1/3/1/4/131454916/131454916.html#1997+polaris+xplorer+500+owners+manu
    • http://webmail.wc911.com/uploads/1/3/0/6/130603905/d01363a5e73b1.pdf
    • http://texasdriveinn.com/uploads/1/3/0/7/130776212/wokipejoviremar.pdf
    • http://ridetolivemotorcyclemarketing.com/uploads/1/3/0/4/130476492/1d1a0f.pdf
    • http://disabilitydirections.com/uploads/1/3/0/5/130588503/49fab6430e1d2.pdf
    • http://bestroofcleaningkirkland.com/uploads/1/3/1/1/131164549/libuvomow-xusaweguxod.pdf
    • http://hanvengrove.com/uploads/1/3/1/4/131454916/terms.html
    • http://hanvengrove.com/uploads/1/3/1/4/131454916/dmca.html
    • http://hanvengrove.com/uploads/1/3/1/4/131454916/policy.html
    • https://pavofozib.files.wordpress.com/2020/05/xebogijutirusimolutigenad.pdf
    • https://porugisi.files.wordpress.com/2020/05/dapisenuvajofagobelufesas.pdf
    • https://xapifivin.files.wordpress.com/2020/06/28385476260.pdf
    • https://remowirosuno.files.wordpress.com/2020/06/kosida.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000056b9.bin
01968898d60d3e309fd54484011f684288fcb3c60d42834b47f152d3e119cd28		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56B9 10132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.