Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdf2da331e3a882d…

MALICIOUS

PDF

42.6 KB Created: 2020-03-10 04:48:09 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7fa9f2a99cdadee1f9c32de065806ef8 SHA-1: 4c302489e7be732b218ad2592b15b06edd9ebeb0 SHA-256: bdf2da331e3a882dddeff76e1f564f68136fc31f8a800108083a26814a770230
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The primary URL points to a page that appears to be an 'Aetna prior auth form for procrit', suggesting a lure related to medical insurance or pharmaceuticals. The document body is heavily obfuscated but contains references to the URLs. The presence of numerous links to external PDFs indicates a likely attempt to redirect users to potentially malicious content or engage in SEO spam.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://huanjiangpindeqipaiyouxi.br3h.com/uploads/1/3/0/5/130589132/130589132.html#aetna+prior+auth+form+for+procrit
    • http://mnixonsclassroom.com/uploads/1/3/0/4/130490056/kafobesot_kogowabe.pdf
    • http://rjsdiner.org/uploads/1/3/0/5/130539345/1d3c761ad.pdf
    • http://www.viffl.com/uploads/1/3/0/6/130640042/tizaturon-ravikomo-mubonoru.pdf
    • http://onlygodcanjudgeus.com/uploads/1/3/0/5/130551477/624a071b7.pdf
    • http://bluhorizontravel.com/uploads/1/3/0/7/130739376/8231472.pdf
    • http://www.cardiffaestheticandlaserclinic.com/uploads/1/3/0/5/130551416/d3d3cf.pdf
    • http://www.trainingbytignor.com/uploads/1/3/0/6/130621588/7029005.pdf
    • http://vpokerfriends.com/uploads/1/3/0/6/130620788/nosamitewifo_bibeduzo.pdf
    • http://74-123-73-96.mgwnet.com/uploads/1/3/0/7/130776100/bixigatesas.pdf
    • http://gallabethministries.org/uploads/1/3/0/3/130379462/70ad98c31.pdf
    • http://www.hansellsfoods.co.uk/uploads/1/3/0/8/130814250/5947978.pdf
    • http://manylabs.net/uploads/1/3/0/4/130476207/gasoviwe_batugu.pdf
    • http://www.boemo.co/uploads/1/3/0/6/130604322/lanalijujise.pdf
    • http://handheldnation.com/uploads/1/3/0/5/130588237/9766959.pdf
    • http://bumpfranchising.com/uploads/1/3/0/5/130590235/4abc2d12e.pdf
    • http://coastalministries.org/uploads/1/3/0/6/130621322/barenuperevap.pdf
    • http://northbrisbanemortgagebrokers.com.au/uploads/1/3/0/3/130379457/jesenowebaveme.pdf
    • http://www.ffhsaz.info/uploads/1/3/0/6/130621407/0350da1b3.pdf
    • http://suncitycenterhomes.com/uploads/1/3/0/7/130739430/6064312.pdf
    • http://katies5280.com/uploads/1/3/0/3/130323401/1804514.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007dfb.bin
23a3e5587eae934ff3a4f29eab9013781d725a4cfe2649a4007b021f4e17bf42		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DFB 7992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.