Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6443148cfae33ad…

MALICIOUS

PDF

48.9 KB Created: 2020-03-15 14:14:57 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8828d3fc1b06cf4b781219ad7184cc31 SHA-1: 13a0a657be6d709ab0cd14ba35cd937e2278f5b6 SHA-256: b6443148cfae33ada6053e5c740786b30f4e82322ed7ee3912612ed8f5ba52af
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a method to distribute malicious content. The document body itself is largely unreadable binary data, but it does contain the URL http://dedicated-3.pleasingfood.com/uploads/1/3/0/4/130435561/130435561.html#lettre+encyclique+caritas+in+veritate+pdf, which is also listed among the extracted URLs. The primary attack pattern appears to be directing users to external resources through a deceptive document.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dedicated-3.pleasingfood.com/uploads/1/3/0/4/130435561/130435561.html#lettre+encyclique+caritas+in+veritate+pdf
    • http://teamschoolreview.com/uploads/1/3/0/3/130379352/besetul.pdf
    • http://photoclube.com/uploads/1/3/0/6/130604392/df676d5bf.pdf
    • http://digitalstoryworks.net/uploads/1/3/0/7/130740450/zigedovisuwolaf-bavelalefox-kekaduw-bojozeva.pdf
    • http://coincomptable.com/uploads/1/3/0/6/130639763/27fae3ac5a5a1c.pdf
    • http://alexazedek.com/uploads/1/3/0/5/130551764/vefepedipipem_buwuzubijafiv_pobowi_favanez.pdf
    • http://touchforhealth.co.za/uploads/1/3/1/0/131070458/7663416.pdf
    • http://shop.thechildrenscottagefortmill.com/uploads/1/3/0/8/130813883/8211477.pdf
    • http://digitalmediamarketingservice.com/uploads/1/3/0/6/130620427/1901616.pdf
    • http://minnickmanagementhoa.com/uploads/1/3/0/8/130813648/xojixekona_wigugojul_suduwi_nabenomevejul.pdf
    • http://www.southpacificsuperyachtclub.com/uploads/1/3/0/3/130313037/0e3856c1.pdf
    • http://northcountypawscause.org/uploads/1/3/0/4/130435751/e09c2.pdf
    • http://sandyburlesoneportfoliowfu.com/uploads/1/3/0/7/130738647/6148378.pdf
    • http://jefflinder.net/uploads/1/3/0/5/130550993/goxodogexutuwaj.pdf
    • http://baumanbaps.com/uploads/1/3/0/4/130488197/bokexapuwav-fasupas-fufubovinari-xonur.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009919.bin
62ff5d6087c0c4e26ef452ef286d5305de7f3a279328b71ad9b1151b1e05d4e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9919 7620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.