Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3710edbc8bf7c25…

MALICIOUS

PDF

34.7 KB Created: 2020-06-20 10:39:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72ded5c0a95f59218c5c9dc6c4cb47f2 SHA-1: ae7955abc8a001794f199d4782023425bbcf7939 SHA-256: c3710edbc8bf7c254e549f2936c02f184f693bb5b066d2df003c964b2c5fa752
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO poisoning attempt. The document body also contains embedded URLs, reinforcing the malicious intent of directing users to external, potentially harmful, websites. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://whiskeyrockproperties.com/uploads/1/3/0/2/130287302/130287302.html#manual+de+frascati+2013
    • http://intuitivephonics.net/uploads/1/3/0/4/130490643/7218612.pdf
    • http://callnurture.com/uploads/1/3/0/2/130271017/e839ab3580.pdf
    • http://underworldradio.com/uploads/1/3/0/4/130483879/ziwitafula.pdf
    • http://scenarscot.com/uploads/1/3/0/4/130490774/4809500.pdf
    • http://childrensmuseumofnewnan.com/uploads/1/3/0/5/130589140/712d465375.pdf
    • http://viperfisharts.org/uploads/1/3/1/8/131871390/jekudora-gekuzivala-vovuw.pdf
    • http://vpn.stmartindp.com/uploads/1/3/0/6/130620972/fowosopa-ledepotutawa-nawuwimo-lofuziro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048e9.bin
eda05d02108b8bccacca6f86f829ab45f1f15ebc7404e29de175de96d5d02324		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48E9 5280 bytes
font_01_sfnt_off00005ae8.bin
dbe8a5361014926815c33d86be01cf652e53fe06fc876f7d44f3616a0df60f04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AE8 10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.