Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc760e2d7160cdda…

MALICIOUS

PDF

43.6 KB Created: 2020-03-26 02:20:49 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 92a68dec6af1c756f37239c181041c5b SHA-1: 5e2dee788fe0b9efbdb382564155c7709a9c7eb9 SHA-256: bc760e2d7160cdda56cf0ab7bbeea12228d95973c3e50840b473b2848cb5de77
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 Malicious Link

The PDF file contains a large number of external links, many of which point to similarly structured URLs on different domains. This suggests a link farm or SEO spam tactic. The document body, though partially corrupted, contains a title related to biology practicals and mentions the authoring application, which is likely a lure to disguise the malicious intent. The primary attack pattern involves redirecting users to potentially malicious external content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seafoodfestivalgiveaways.com/uploads/1/3/1/3/131380725/131380725.html#how+to+calculate+magnification+in+biology+practical
    • http://rosesredrosesblue.com/uploads/1/3/0/4/130477048/2457751.pdf
    • http://radiogirlcami.com/uploads/1/3/0/8/130815097/vurasivorilo.pdf
    • http://unionflatrock.org/uploads/1/3/0/6/130604620/tezijuk.pdf
    • http://thepokeytruck.com/uploads/1/3/0/7/130739381/7046391.pdf
    • http://gameplan-1.com/uploads/1/3/0/5/130588390/62e18b8c.pdf
    • http://psicologiapublica.org/uploads/1/3/0/6/130640141/gugisojagefesaz-dejilut-nupotedof-fevelidifuperon.pdf
    • http://www.diligenttax.info/uploads/1/3/0/2/130289467/accfddb78aee.pdf
    • http://coinspacespain.com/uploads/1/3/0/5/130551004/5057649.pdf
    • http://sookies.shop/uploads/1/3/0/2/130287547/a5822e029cdc6.pdf
    • http://trulyimpressiveevents.com/uploads/1/3/0/7/130775950/ruzix.pdf
    • http://ctk.net/uploads/1/3/0/2/130272853/kewavajezuguf-xuwidimewu.pdf
    • http://grimesdesignstudio.tradelineproperties.com/uploads/1/3/0/5/130542780/2206448.pdf
    • http://monkonmolokai.com/uploads/1/3/0/4/130478481/7bd49551a1.pdf
    • http://cavinesslegacy.com/uploads/1/3/0/7/130738715/ginabuver-duluzigibigi-sokozetiruz.pdf
    • http://powerofmoney.tv/uploads/1/3/0/5/130588606/sojameziwidowe.pdf
    • http://www.plussizeweddingdressesny.com/uploads/1/3/0/8/130873829/5509409.pdf
    • http://lovehardlaughoften.com/uploads/1/3/0/8/130813913/tevij-fezusezikaso-vexejabipefiler-tizegetidones.pdf
    • http://resimactechinfo.com/uploads/1/3/0/7/130740045/gukevug.pdf
    • http://winzelerinc.com/uploads/1/3/0/4/130477201/6651467.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077c1.bin
f5f88c2a3e45f3933d3379841c8abbb7f45ea4f7e611f1a86bb6b55f648576f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77C1 7864 bytes
font_01_sfnt_off0000967d.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x967D 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.