Malicious PDF — malware analysis report

Static analysis result for SHA-256 b380f5f3ddb43767…

MALICIOUS

PDF

34.9 KB Created: 2020-06-04 17:39:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 63fab974be25afeb0005fc069d949223 SHA-1: 25158b2795f22c144a34180cf561f035a6908240 SHA-256: b380f5f3ddb437678ce5317255072816c16b3832a9cc20d443a22ddf850b2512
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, many of which point to other PDF files hosted on various domains. The document body text and embedded URLs suggest a lure related to downloading a 'reloading handbook', which is a common tactic for distributing malicious content. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a link farm, likely for SEO poisoning or to host a large number of malicious files. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://spisale.com/uploads/1/3/0/2/130288600/130288600.html#lyman+49th+edition+reloading+handbook+pdf+download
    • http://caletaylor.com/uploads/1/3/0/9/130969415/lanasinapedemapa.pdf
    • http://redhead98.net/uploads/1/3/0/7/130776684/372f822f2174c4b.pdf
    • http://rosebenaturals.com/uploads/1/3/0/8/130874365/zawasedita_vuluxabapipiluf_jitabonuse_jaweden.pdf
    • http://uncomplicateparenting.com/uploads/1/3/0/6/130620607/jevejewegate_pupimaworokago.pdf
    • http://firsttimeinkenya.org/uploads/1/3/0/4/130476575/5542314.pdf
    • http://webmail.hermitagefbc.com/uploads/1/3/0/6/130621455/f8029d60c.pdf
    • http://spisale.com/uploads/1/3/0/2/130288600/terms.html
    • http://spisale.com/uploads/1/3/0/2/130288600/dmca.html
    • http://spisale.com/uploads/1/3/0/2/130288600/policy.html
    • http://spisale.com/uploads/1/3/0/2/13028860
    • https://safowus.files.wordpress.com/2020/06/80389467993.pdf
    • https://taxasegino.files.wordpress.com/2020/06/63290134170.pdf
    • https://numafudip544870020.files.wordpress.com/2020/06/napekozetunazowebafo.pdf
    • https://mukagalezep.files.wordpress.com/2020/06/54094213811.pdf
    • https://piputefanag.files.wordpress.com/2020/06/64476133804.pdf
    • https://tuwokovi.files.wordpress.com/2020/06/65605585618.pdf
    • https://kaxatesuv.files.wordpress.com/2020/06/7614828294.pdf
    • https://valunip.files.wordpress.com/2020/06/kogakodife.pdf
    • https://munedit.files.wordpress.com/2020/06/4138638905.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a8e.bin
5f3ec6f955f3f56586e1a417eaabc7c4bf5d506a7cfafee06348b3a7fbfbbce1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A8E 10660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.