PDF malware analysis — malicious · b22b784fbe6b3374

MALICIOUS

PDF

46.3 KB Created: 2020-05-18 14:50:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: c250d6ce4d85e03965768300f651e6ec SHA-1: e06cfb49bea43db74e93bcb788d8c14fd879acda SHA-256: b22b784fbe6b337463c1c2843216a723b953d75413cc9d0f280351a56f6d14d3

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, many of which point to other PDF files. This is indicative of a link farm or SEO poisoning technique, designed to lure users into clicking on potentially malicious content. The presence of a visual download button lure further supports this malicious intent. The document body contains garbled text mixed with URLs, suggesting it was generated programmatically.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://vintage-vault.net/uploads/1/3/0/8/130814341/130814341.html#hackintosh+zone+guide+high+sierra
- http://tietiemolenaarfotografie.nl/uploads/1/3/0/2/130271184/gajezavi.pdf
- http://paperfinchart.com/uploads/1/3/0/6/130639337/likimeluxuv.pdf
- http://nyc-update.com/uploads/1/3/0/7/130775704/buloko.pdf
- http://austinmassagestudio.com/uploads/1/3/0/4/130436136/wesiwuno-teferimube-ziwevukud.pdf
- http://darshesimperialshihtzu.com/uploads/1/3/0/4/130476129/fexavawabaguv.pdf
- http://pacifictrendsins.com/uploads/1/3/1/0/131070062/susawinaram.pdf
- http://growagrand.com/uploads/1/3/1/3/131379590/jefapu.pdf
- http://dwandcompany.net/uploads/1/3/1/4/131409861/bb85996.pdf
- http://bartskipper.com/uploads/1/3/0/5/130551015/1ef7045ec8a0748.pdf
- http://customerinsightsgroup.com/uploads/1/3/0/5/130588688/dowotubebor.pdf
- http://boldsocial.ca/uploads/1/3/1/3/131380868/rinifawigobem.pdf
- http://cibum.nl/uploads/1/3/1/3/131383727/8a7397f7d.pdf
- http://serumtruth.com/uploads/1/3/0/2/130287992/e195448d24.pdf
- http://raymondsawyer.com/uploads/1/3/0/9/130969185/4976503.pdf
- http://obratovluge.com/uploads/1/3/0/7/130776101/4729a88a0f9.pdf
- http://faiour.com/uploads/1/3/0/5/130551468/fumadovizif.pdf
- http://adentamalaysia.com/uploads/1/3/0/7/130739492/551fa7.pdf
- http://fccdisciplesweirtonwv.org/uploads/1/3/1/4/131406708/fabovefinufenem.pdf
- http://hawkins-mediation.com/uploads/1/3/0/6/130620942/5500896.pdf
- http://ladiffproprete.net/uploads/1/3/0/7/130740563/vixunegonatukejob.pdf
- http://hawkinsfuntees.com/uploads/1/3/0/5/130588202/gokugujukewaxub.pdf
- http://theaffablebear.com/uploads/1/3/1/4/131483194/zetijabikok.pdf
- http://tuckerlevinllp.com/uploads/1/3/0/5/130539875/bafejetiga.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000087f3.bin` `5ccfac76706b382ebc2d0d13432425d37261a0606cd30118f5a1d8d521240e3b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x87F3	10840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.