Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7bf472930a3f7fe…

MALICIOUS

PDF

39.2 KB Created: 2020-06-06 06:06:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 78dee225007cb050018b1a1886b2c285 SHA-1: 634fa7d0f91b4eadfd9c5aa832546b8927580620 SHA-256: b7bf472930a3f7fe074bc26336bf40f3848c73e3afa8bb7c30c8224ba8a8473d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of embedded external links, identified as a PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or SEO poisoning tactic. The document body itself is heavily obfuscated but contains references to the Masonic catechism and the authoring application, which are likely decoys. No scripts were extracted from this sample. The primary attack pattern involves directing users to a large number of external resources.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mta-sts.mail.shireoakproductions.org/uploads/1/3/0/7/130775763/130775763.html#masonic+catechism+questions+and+answ
    • http://kidsphilharmonic.com/uploads/1/3/0/6/130622011/monosi.pdf
    • http://autodiscover.sweetbasilhurst.com/uploads/1/3/1/4/131483492/31ce33e0.pdf
    • http://nickandgraceguy.com/uploads/1/3/0/2/130271038/6706829.pdf
    • http://moonshotatnacet.org/uploads/1/3/0/4/130488626/4363727.pdf
    • http://radiocuibullupiloralbi.net/uploads/1/3/0/5/130545827/2086174.pdf
    • http://mx.orindapoise.org/uploads/1/3/1/4/131438898/2017569.pdf
    • http://recordmysheetmusic.com/uploads/1/3/0/5/130542692/kivesuwap_fegozula.pdf
    • http://imrosiepatey.com/uploads/1/3/0/4/130476075/1679706.pdf
    • http://rachelclode.com/uploads/1/3/0/7/130775012/98e0e1da4325714.pdf
    • http://bvei.com/uploads/1/3/0/5/130547812/nuwazoladoli_basuwajagov_dewod.pdf
    • http://_dmarc.mx.agike.com/uploads/1/3/0/4/130489175/kudis.pdf
    • http://swisshashtag.ch/uploads/1/3/1/0/131070246/1a1aaa3d967.pdf
    • http://mta-sts.mail.shireoakproductions.org/uploads/1/3/0/7/130775763/terms.html
    • http://mta-sts.mail.shireoakproductions.org/uploads/1/3/0/7/130775763/dmca.html
    • http://mta-sts.mail.shireoakproductions.org/uploads/1/3/0/7/130775763/policy.html
    • https://jogulubi398826838.files.wordpress.com/2020/06/58928987386.pdf
    • https://viledegup.files.wordpress.com/2020/06/10181060557.pdf
    • https://tabajizivew.files.wordpress.com/2020/06/zozoxim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006eab.bin
7ce483a51f1a14cde2a53fbc98905b43aba5eae0f4368888927b12e10f51e30f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EAB 10140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.