Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbe4452b9f14c744…

MALICIOUS

PDF

45.6 KB Created: 2020-05-13 00:24:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 57088d7716a4f25d128fd9f5f7eb9e57 SHA-1: a526defac032fa64ba719b05a85ed11cc9ec44ff SHA-256: bbe4452b9f14c744e3412828da5a69354fee9228b896f24f6b507a3217be7a5a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a mass external link farm, with 30 links pointing to various domains. The primary purpose appears to be SEO manipulation or distributing malicious content through these numerous external links. No scripts were extracted, and the document body is heavily obfuscated, making it difficult to determine a more specific attack pattern or intent beyond the link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://climatechangeforteachers.org/uploads/1/3/0/6/130620290/130620290.html#markstrat+simulation+report
    • http://westonejones.com/uploads/1/3/0/8/130814192/vilefufepaf-suranufepip-dizefu-jinubusow.pdf
    • http://itisvacation.com/uploads/1/3/1/0/131070487/xexafexu.pdf
    • http://justanothergamedomain.com/uploads/1/3/0/8/130874395/fb19b728d88.pdf
    • http://aldrichnolan.com/uploads/1/3/1/0/131070574/5902764.pdf
    • http://georgehumeston.com/uploads/1/3/0/7/130776743/2340508.pdf
    • http://spinvrijwonen.nl/uploads/1/3/0/7/130775201/08a58ddc82c9e.pdf
    • http://acescompetitions.com/uploads/1/3/0/9/130969458/8eef4.pdf
    • http://trestead.com/uploads/1/3/0/5/130539928/jemiru.pdf
    • http://gromarmy.com/uploads/1/3/1/3/131398268/82338c2eae8aeb.pdf
    • http://saegl.us/uploads/1/3/0/2/130270793/nirulaxajav-paxiwu-vejejomizafin.pdf
    • http://glenfarleystudio.com/uploads/1/3/0/5/130589189/2715ab93deb1a6.pdf
    • http://novaintec.net/uploads/1/3/1/4/131438304/4898283.pdf
    • http://beauqueenboutique.com/uploads/1/3/0/6/130621257/susal.pdf
    • http://basikglow.com/uploads/1/3/0/2/130289625/8039129.pdf
    • http://maiintaisimaiintai.com/uploads/1/3/0/5/130542902/3037816.pdf
    • http://dickenscarolersgr.com/uploads/1/3/0/4/130488983/soluj.pdf
    • http://spotsandstripescon.com/uploads/1/3/0/7/130775903/4037038.pdf
    • http://healthfocus2020.com/uploads/1/3/0/5/130588971/ccfb3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b16.bin
936ac11ae690655c8e2a4b27c422f4f268fe9f9af9129cc8af7228936bfdc0fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B16 2048 bytes
font_01_sfnt_off0000848d.bin
cfd4e8529d4a40233f4755a1f22acb5b526d0908f1fc44d06ce11a1aa410583a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x848D 11036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.