Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcd232163320835b…

MALICIOUS

PDF

38.3 KB Created: 2020-03-27 02:43:14 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4bb823f292ff6cb00560dd4750a784f5 SHA-1: e53719c9860a304ab3078dc47eae26fb9839b319 SHA-256: bcd232163320835b094bca90dc471bfc83746629bb3bea41ecffc785d4095f25
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains a lure for a 'Kali linux for windows free download' which is a common tactic to entice users to download potentially unwanted software. The document also contains a large number of SEO-linked PDF files, indicating a link farm or content stuffing strategy. No scripts were extracted, and the document body was heavily obfuscated, limiting deeper analysis of the immediate payload.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dylanwyke.com/uploads/1/3/0/4/130435881/130435881.html#kali+linux+for+windows+free+download
    • http://easternplainsmaternityclinic.rosebudbirthingservices.com/uploads/1/3/0/4/130478314/0db65.pdf
    • http://mta-sts.mail.canicrossnederland.nl/uploads/1/3/0/5/130589268/2159115.pdf
    • http://shadowlength.com/uploads/1/3/0/6/130621588/pubiber.pdf
    • http://holichrisitconsultingllc.com/uploads/1/3/1/3/131379525/8598840.pdf
    • http://selinaplaukai.com/uploads/1/3/0/7/130740010/2898593.pdf
    • http://sararyanduffy.com/uploads/1/3/0/6/130603929/7466670.pdf
    • http://fruitface.net/uploads/1/3/0/6/130604313/c05506.pdf
    • http://www.kaubell.com/uploads/1/3/0/2/130272365/goforemafopiken-wisaxalexax.pdf
    • http://knowbagz.com/uploads/1/3/0/4/130476523/rajuzinizikuki.pdf
    • http://markkraemer.net/uploads/1/3/0/3/130323581/c5787721a043896.pdf
    • http://www.power2bernie.org/uploads/1/3/0/4/130489499/firutiguzazirupif.pdf
    • http://yuanhl.com/uploads/1/3/0/7/130739213/8fb0ea.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d26.bin
aaf8b9b71be94bc980fddf402449b4151b9469eb129ca8a85c81716d1a1a7000		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D26 7964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.