Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf0195be0bcedd2a…

MALICIOUS

PDF

35.2 KB Created: 2020-06-03 23:14:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5a2add2a2ba172fc7022c579c6e06b21 SHA-1: 3f0d0cb458ff210943b6338b88bcbcd4d30c2e2c SHA-256: bf0195be0bcedd2ad74a7d527757009ab76a295efe547c07274bef17030d6511
62 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Stage Capabilities: Gather Victim Identity Information T1204 User Execution: Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body also contains a prominent link to 'wolfecityhomecoming.com' which appears to be part of this link farm. The primary purpose seems to be directing users to a large collection of other PDF files hosted on various domains, likely for SEO manipulation or to distribute malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wolfecityhomecoming.com/uploads/1/3/1/3/131378795/131378795.html#qayamat+se+qayamat+tak+movie+song+download
    • http://impermeabilicacionescj.com/uploads/1/3/1/6/131637371/kipigusik.pdf
    • http://amroofing.org/uploads/1/3/0/5/130588461/dirogipapada.pdf
    • http://aidilaryanto.com/uploads/1/3/1/3/131384128/pozoditesegede_tulanaranadut_zijaduxafon_dizonatiz.pdf
    • http://travisnietert.com/uploads/1/3/1/1/131164562/6453213.pdf
    • http://leslie-marshall.com/uploads/1/3/0/7/130740612/rusukevako.pdf
    • http://santoshayoga.net/uploads/1/3/0/4/130488223/zobejovonibe_weviwowo_samebanikarefej.pdf
    • http://storiesthatpersuade.com/uploads/1/3/0/6/130620412/semiroviwetuja.pdf
    • http://specialeventsmusicut.com/uploads/1/3/0/9/130969137/vekuluzedejukutogex.pdf
    • http://hostmaster.advfit.com/uploads/1/3/0/7/130740019/nakakunawebojol.pdf
    • http://rabidrabs.net/uploads/1/3/0/4/130478374/d7a2c963.pdf
    • http://xtremeresolutions.com/uploads/1/3/0/9/130969593/5e630e84d64529a.pdf
    • http://wolfecityhomecoming.com/uploads/1/3/1/3/131378795/terms.html
    • http://wolfecityhomecoming.com/uploads/1/3/1/3/131378795/dmca.html
    • http://wolfecityhomecoming.com/uploads/1/3/1/3/131378795/policy.html
    • https://safarudu.files.wordpress.com/2020/06/zuzezuxewunevin.pdf
    • https://duzawexosusa.files.wordpress.com/2020/06/zorif.pdf
    • https://videmenig247730254.files.wordpress.com/2020/06/lowazemakavuketugokebaxiz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c52.bin
a3d6ad8a666c69c75089606b407b8540056ad4b709c603f00c20589a826a70d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C52 10668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.