PDF malware analysis — malicious · b82f9af826a4bdc8

MALICIOUS

PDF

40.9 KB Created: 2020-03-31 02:17:39 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 44c7ced70b1e682816acb4615fcf8986 SHA-1: d37a15f08f87e0d3dbb4c09166e28b4a321c28b5 SHA-256: b82f9af826a4bdc85329ce1b45257cf71439d9525b4d1e3ad008197fa001f58f

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1598.002 Host Discovery: Scan For Website

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though partially corrupted, contains text suggesting it is an educational resource ('Libro de matematicas tercer grado de secundaria contestado 2018'). This combination indicates a likely SEO spam or phishing campaign, where users are directed to numerous external sites. No scripts were extracted from this sample.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://stayhererentals.com/uploads/1/3/1/3/131384025/131384025.html#libro+de+matematicas+tercer+grado+de+secundaria+contestado+2018
- http://superiortrusses.net/uploads/1/3/0/5/130551449/viribidatupasevufa.pdf
- http://jdoze.com/uploads/1/3/0/4/130476188/6600176.pdf
- http://whatchaneeddrivethru.com/uploads/1/3/0/2/130272319/muborodowor-jetowilajojix-sajimo-tarorudukidevo.pdf
- http://fayettevillepride.com/uploads/1/3/1/1/131164012/1c2c30c84.pdf
- http://castawaycustomsmidwest.com/uploads/1/3/0/3/130323705/sapib.pdf
- http://christineravatfarenc.com/uploads/1/3/0/4/130490444/287effe95cfe9b.pdf
- http://preppinghomestead.com/uploads/1/3/0/6/130639138/potujat_tusujegu_petoginanogep_gewimiwufiko.pdf
- http://afforableandlowcost.com/uploads/1/3/0/7/130740178/8813487.pdf
- http://shamanicharmonic.com/uploads/1/3/0/5/130538946/rufawegekanad.pdf
- http://avididonline.com/uploads/1/3/1/1/131164011/9516297.pdf
- http://shopdiveinmagazine.com/uploads/1/3/0/3/130324167/2858044.pdf
- http://afsnzsupporter.org/uploads/1/3/0/3/130379523/vogolu.pdf
- http://speedlore.com/uploads/1/3/0/4/130435594/xavikozuvobolem.pdf
- http://your-simplicity.com/uploads/1/3/0/7/130738525/6167019.pdf
- http://gorjillc.com/uploads/1/3/0/7/130775846/8173927.pdf
- http://diadelosmuertoseast.org/uploads/1/3/0/7/130740464/xezaso-dazulumadumofuf-dededosevog.pdf
- http://chalkedeepika.com/uploads/1/3/0/5/130539279/mekotuxebupado-mupizuluwik-kokoxuxomoneki.pdf
- http://mx.bonellipark.org/uploads/1/3/0/6/130640142/vefeparaxiwugul_nunoxoxosubijax_genanudobofimer.pdf
- http://assuredthang.com/uploads/1/3/0/2/130288909/4124136.pdf
- http://thorshammerbc.com/uploads/1/3/0/6/130639181/b24698a.pdf
- http://poolganics.com/uploads/1/3/0/6/130604303/e868f70938.pdf
- http://growersgrandaughter.com/uploads/1/3/0/7/130775308/kakitizugapu-kupisafijimu-fulugatazu.pdf
- http://growersgrandaughter.com/uploads/1/3/0/7/130775308/kakitizugapu-kup
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000073f2.bin` `3dcb38b3a538d1d1330f686054568ea08f307bdc8b9594a75887821270925787`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73F2	8592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.