Malicious PDF — malware analysis report

Static analysis result for SHA-256 bccbc95b06c45d16…

MALICIOUS

PDF

54.2 KB Created: 2020-03-24 14:57:38 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: febb1d13254567a796e5b3dc676151dd SHA-1: 14e245ec02b1b29c0b8477669cca9ce77580a373 SHA-256: bccbc95b06c45d16ec168a5562375b59873ba6ca26810e24e63bddcee8112251
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body, while containing some garbled text, includes the URL http://cryptoassets.xyz/uploads/1/3/0/5/130539309/130539309.html#linea+del+tiempo+delos+avances+cientificos+de+la+biologia, which is part of a link farm. The heuristic PDF_SEO_LINK_FARM specifically identifies this pattern of mass external PDF links, indicating a likely attempt to drive traffic to compromised or malicious domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cryptoassets.xyz/uploads/1/3/0/5/130539309/130539309.html#linea+del+tiempo+delos+avances+cientificos+de+la+biologia
    • http://tastingfair.com/uploads/1/3/0/6/130604590/9873023.pdf
    • http://bigalsfireworks.com/uploads/1/3/0/2/130291592/5817709.pdf
    • http://mail.alexanderwenger.ch/uploads/1/3/0/2/130291635/2702839.pdf
    • http://drstellamedicalintuitive.com/uploads/1/3/0/6/130621815/7fc13d.pdf
    • http://andrewdpaterson.com/uploads/1/3/0/7/130738933/f4904f8.pdf
    • http://pilatesbrienzseestark.com/uploads/1/3/0/5/130539702/cc58fba8b4a.pdf
    • http://constitutionalteaparty.org/uploads/1/3/0/6/130605084/semepiwo.pdf
    • http://kmclinicaltraining.co.uk/uploads/1/3/0/6/130620530/majovib_vedele_gazajazolubu.pdf
    • http://store.arvadahistory.org/uploads/1/3/0/6/130621700/talafemopiz.pdf
    • http://mercystreetchurch.com/uploads/1/3/0/6/130621285/tevajupezowebamoxa.pdf
    • http://cobbspropertyservicesltd.com/uploads/1/3/0/5/130546283/vanekugajaved.pdf
    • http://theclassicnc.com/uploads/1/3/0/2/130288320/8676300.pdf
    • http://kosmokayla.com/uploads/1/3/0/8/130874001/mebofibakax_naxorege_dadotupuso_segit.pdf
    • http://edifyyounow.com/uploads/1/3/0/6/130620346/powixipotutepasow.pdf
    • http://smithpaintings.com/uploads/1/3/0/2/130272603/1382779.pdf
    • http://graceturnerofficial.com/uploads/1/3/0/2/130288412/dukakase.pdf
    • http://spiritjourney.org/uploads/1/3/0/7/130739459/9818508.pdf
    • http://mentawhite.com/uploads/1/3/0/7/130739020/fevenuw-vobotemapafa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000090a2.bin
fee80140c73987bf71b6ba8d020c77425e3cdfae96d74f1866b9f9ad67de9f69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90A2 9744 bytes
font_01_sfnt_off0000b3b1.bin
f19dc41d490b60033b52f2fdde74623f1ba9924597607807c173cf149651756c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB3B1 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.