Malicious PDF — malware analysis report

Static analysis result for SHA-256 b77ad41632300edb…

MALICIOUS

PDF

36.5 KB Created: 2020-03-09 14:17:56 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6e204cb966f01243f14a2cbe3c4d4f61 SHA-1: 5dac04d26b9c8e3af147d691d6a445d2f31ba9dd SHA-256: b77ad41632300edb06ee9c99994692c9c754a9ebb4668948763e2eab93feaa02
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO spam or to redirect users to malicious sites. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating a potential attempt to manipulate search engine results or distribute further malware. The document body text is largely unreadable, but the presence of the URL 'http://uxd66r.bdgct.com/uploads/1/3/0/8/130814187/130814187.html#total+plate+count+method+usp' suggests a possible lure related to a specific method or process.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uxd66r.bdgct.com/uploads/1/3/0/8/130814187/130814187.html#total+plate+count+method+usp
    • http://margiesfriedchicken.com/uploads/1/3/0/7/130776519/6b5e92b9efb9b.pdf
    • http://sohyunparkpiano.com/uploads/1/3/0/8/130874378/nonemunu.pdf
    • http://larsonpastels.com/uploads/1/3/0/7/130738859/2bacbda7bebafbc.pdf
    • http://ma-demo.paradigmapps.com/uploads/1/3/0/6/130620606/2178660.pdf
    • http://breatheeasygardens.com/uploads/1/3/0/8/130813427/3187900.pdf
    • http://amomilanoleather.com/uploads/1/3/0/7/130775131/7760928.pdf
    • http://domaindrivenmicroservices.com/uploads/1/3/0/4/130476671/zugoxa.pdf
    • http://dbgroundworks.org/uploads/1/3/0/5/130551418/29dc8b.pdf
    • http://argentinahop.com/uploads/1/3/0/5/130588605/fabet_luxiwaji.pdf
    • http://abodeluxury.com/uploads/1/3/0/7/130775404/2189087.pdf
    • http://digitalmarketingcourses.com/uploads/1/3/0/4/130489727/raduvepe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068ab.bin
c468f0b9d9778b17a4520cd6ad544b0e43605a0ca7e4d5e6f92e052e1e177eb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68AB 7392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.