Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc92217aa27d7d33…

MALICIOUS

PDF

40.4 KB Created: 2020-03-11 15:10:17 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 82d6871c909f73b3d548ac479b247180 SHA-1: 0bcd8a0fa3f06dfd5b47b24f60055db144e18c0d SHA-256: bc92217aa27d7d338d14bc8cacf3c48ce1550354f14e5f552c6eba9c01485ce5
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links to various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The document body text is largely unreadable, but the presence of numerous links suggests a tactic to manipulate search engine results or to distribute further malicious content. The primary attack pattern involves directing users to these external resources.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.morethansoulfood.net/uploads/1/3/0/7/130775657/130775657.html#auma+type+sar+07.6
    • http://charleschien.com/uploads/1/3/0/6/130620345/julodupijelove.pdf
    • http://www.sunfanglu.com/uploads/1/3/0/3/130323286/pafifuronuxi_gixedese_dememe.pdf
    • http://southernbreezecandleco.com/uploads/1/3/0/5/130544754/4953799.pdf
    • http://www.mbesmediacenter.com/uploads/1/3/0/7/130740612/9547481.pdf
    • http://troyrankin.com/uploads/1/3/0/5/130588231/7357645.pdf
    • http://2bobpoker.com/uploads/1/3/0/6/130604945/5e29c1ebea23a4e.pdf
    • http://overheadmichigan.com/uploads/1/3/0/3/130323220/worugukixorew_mexexopunas_giril_xikogupexova.pdf
    • http://autodiscover.wrongcrowdproductions.com/uploads/1/3/0/7/130776299/tunenema.pdf
    • http://honeymoonfunder.com/uploads/1/3/0/4/130476389/kunubewit.pdf
    • http://lahabratamalesfestival.com/uploads/1/3/0/4/130488469/0300b92f71a38.pdf
    • http://rimpacsurf.com/uploads/1/3/0/5/130588841/tiluvorirarurex_risib.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007ad2.bin
b8c36f5ae542b6fb7409a5744ea207f4f534fe4a49230da2bfb079ba7d54adff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AD2 6596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.