Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfb22e35a2f843e6…

MALICIOUS

PDF

71.5 KB Created: 2020-04-07 22:22:23 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6e47f3c1d0c2819de3b3477fdbf4a354 SHA-1: cc84b8b94604cb356bf6e2bf963ed4d2993b7142 SHA-256: bfb22e35a2f843e6ff4bd83bf6ab8d9fb32ff43762a1702f5e507a953042b0b4
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The primary URL points to a page with Vietnamese text, suggesting a potential lure. The file's purpose appears to be directing users to a network of linked pages, likely for malicious SEO or to serve further payloads.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thescentedbathco.com/uploads/1/3/0/2/130289233/130289233.html#h%E1%BB%93+%C4%91%C3%A1+b%C3%A0n+th%E1%BB%8B+x%C3%A3+t%C3%A2n+uy%C3%AAn+b%C3%ACnh+d%C6%B0%C6%A1ng
    • http://1-800-staffing.com/uploads/1/3/0/5/130590467/raxujusupilejum_xizumaloji_jetatubumizu.pdf
    • http://jdbpphotography.com/uploads/1/3/0/8/130873848/4182094.pdf
    • http://pilicarrera.miami/uploads/1/3/0/6/130621576/ziwexemutipel.pdf
    • http://arm.armenianchurchofkuwait.com/uploads/1/3/0/6/130604241/1335276.pdf
    • http://beernationdistributors.com/uploads/1/3/0/7/130739864/wudagijixibagadazip.pdf
    • http://www.providencelawchambers.com/uploads/1/3/1/0/131069806/disarelemaka-nujibe-juseber.pdf
    • http://acneboss.com/uploads/1/3/0/5/130589126/fubobopamepadajoze.pdf
    • http://scalestatistics.com/uploads/1/3/0/6/130605030/tufubeju.pdf
    • http://africanmtbteam.com/uploads/1/3/0/7/130776177/lebuvujuz-pozoguliledav.pdf
    • http://cebulechonandgrillhouse.com/uploads/1/3/0/7/130776420/7905532.pdf
    • http://carmelorganizer.com/uploads/1/3/0/5/130543588/goxema.pdf
    • http://sflalaguna.com/uploads/1/3/0/8/130813639/danojerijazetuj.pdf
    • http://www24�����a
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bc4d.bin
3b90f5a9049f50e0ed55f81b224980aea65e388741870c48ecdde0c4c9eb5eb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC4D 11284 bytes
font_01_sfnt_off0000e0b5.bin
45e856ea5d56b2618c3f6df05e1b23ce9755cf06b2ef6062f6d629b7e66796f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE0B5 2820 bytes
font_02_sfnt_off0000eaaf.bin
cc0fc65acb1a0657db261c71c33f967cbbe40ae5082aba8d0939be9ade076afc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAAF 24708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.