Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbea3e4318b12863…

MALICIOUS

PDF

33.1 KB Created: 2020-05-19 05:14:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 869a6f7104bab8ba4adb4c14773e9b0e SHA-1: 29168ab7cd79d09f98483e4d0ba7601d7241b73a SHA-256: bbea3e4318b128635b29bd9102652d5872465d3acba3ddeaf9a6c14ae49270ca
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a technique often used for SEO spam or to redirect users to malicious sites. The heuristic PDF_SEO_LINK_FARM specifically flags this behavior, indicating a likely attempt to manipulate search engine results or distribute malware. The document body contains a reference to 'Www foxpro software free download com', suggesting a potential lure for software download scams.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bobdoak.us/uploads/1/3/0/6/130620163/130620163.html#www+foxpro+software+free+download+com
    • http://servingslore.com/uploads/1/3/0/6/130620818/werinid_madasomi_xuwato_jifosetike.pdf
    • http://angel-blinds.com/uploads/1/3/0/4/130489039/dujegamo.pdf
    • http://smnc.org/uploads/1/3/1/4/131438079/legitaxizopobolotusa.pdf
    • http://campbell-france.com/uploads/1/3/0/6/130620627/4679721.pdf
    • http://mbagames.co/uploads/1/3/0/4/130483320/0a8d84499596fe7.pdf
    • http://mekophotography.com/uploads/1/3/0/9/130969146/3448523.pdf
    • http://newpathorg.com/uploads/1/3/0/7/130740264/8a76c.pdf
    • http://tahawushomesteadbrewery.com/uploads/1/3/0/4/130479210/9474226.pdf
    • http://redheadmusings.com/uploads/1/3/1/0/131070456/9949050.pdf
    • http://happybirthdayhasna.me/uploads/1/3/0/8/130814923/115972331517.pdf
    • http://lacasitadelsabor.net/uploads/1/3/0/2/130287401/divabulipidefoj.pdf
    • http://lacharite.net/uploads/1/3/0/5/130588280/daxej.pdf
    • http://delatexspuiters.nl/uploads/1/3/1/3/131380754/c4bcca7.pdf
    • http://karamarie.org/uploads/1/3/0/8/130813730/xagoku.pdf
    • http://ameheureuse.shop/uploads/1/3/0/5/130588830/jiwolalujagak-xunepavopa-wigisob-delekireza.pdf
    • http://the-narrow-path.net/uploads/1/3/0/6/130640032/7536482.pdf
    • http://encorerestaurant.net/uploads/1/3/0/6/130604382/mijekivuvoridujade.pdf
    • http://amber-short-film.com/uploads/1/3/0/5/130540097/b5dd8593.pdf
    • http://bgsupplystore.com/uploads/1/3/0/8/130874218/mejuvajujisud.pdf
    • http://thefrenchtowninn.com/uploads/1/3/0/7/130739116/wefovun-fidevuzimufazi.pdf
    • http://zcbcspfld.org/uploads/1/3/1/1/131163904/9910180.pdf
    • http://marinacamp.com/uploads/1/3/1/3/131380177/6986505.pdf
    • http://complementaryreflexstudies.com/uploads/1/3/0/5/130590475/julajadubunujopuk.pdf
    • http://greenbrierhistorical.com/uploads/1/3/0/2/130291552/xekunudu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005716.bin
a250d6585db0b4ef333d609bd13c5838072e299a0dbd48fbc043aec5cc2dff53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5716 9696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.