Malicious PDF — malware analysis report

Static analysis result for SHA-256 c135b717391c7d33…

MALICIOUS

PDF

37.4 KB Created: 2020-06-08 10:33:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6466a37c28b31d0de36bb2a81a65ec84 SHA-1: 453b1a9ca80ae47fbe7e413ce3989567f70e9b78 SHA-256: c135b717391c7d3368a599627ca14bc774ca407a96fc9f7d1016561d8b25ada3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting an attempt to create a link farm or distribute malicious content through a large number of seemingly unrelated PDFs. The document body contains a URL that is also present in the list of extracted URLs, reinforcing the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webdisk.stefanaarnio.com/uploads/1/3/0/4/130476359/130476359.html#diren%25C3%25A7lerin+seri+ve+paralel+ba%25C4%259Flanma
    • http://zoomzoomnow.com/uploads/1/3/0/7/130740325/kuxumizeritukejin.pdf
    • http://joshuahealthcare.com/uploads/1/3/0/7/130739705/kosoxebazuseku.pdf
    • http://venteadomicile.diane-piejos.com/uploads/1/3/0/3/130313746/somemekumutime_pavefogo.pdf
    • http://tjsfitness.org/uploads/1/3/0/8/130813667/165942.pdf
    • http://helenballancefinearts.com/uploads/1/3/0/9/130969645/9358513.pdf
    • http://nunique.org/uploads/1/3/0/2/130272945/9268052.pdf
    • http://mypowdercoat.com/uploads/1/3/0/7/130776436/pajebobumoxag_suxuwotira_muxekudolugusa.pdf
    • http://ats.moabfolkcamp.com/uploads/1/3/0/6/130604129/344238f95c.pdf
    • http://primetechreview.com/uploads/1/3/2/3/132302912/06e5c398.pdf
    • https://kidivemureb.files.wordpress.com/2020/06/diwevoruzenikesixazajanol.pdf
    • https://zadidepetox.files.wordpress.com/2020/06/79118750908.pdf
    • https://pamavesusovi.files.wordpress.com/2020/06/jaxiso.pdf
    • https://wejofokil.files.wordpress.com/2020/06/zogabamubofikejivur.pdf
    • https://tixuwujeseva.files.wordpress.com/2020/06/baxodawesakod.pdf
    • https://zapuxuj.files.wordpress.com/2020/06/83526245664.pdf
    • https://guxefem.files.wordpress.com/2020/06/86604263780.pdf
    • https://dilupojuze.files.wordpress.com/2020/06/lumar.pdf
    • https://semijex.files.wordpress.com/2020/06/jekebelejevano.pdf
    • https://kiwuzep760592565.files.wordpress.com/2020/06/dolotogekaxegikiwopumibat.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://dilupojuze.files.wordpress.com/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000631f.bin
48c3460b1af1940911c8e43b98926ce942ce78649ceeba85e03c87b44e520c95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x631F 11444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.