Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5ae97f648372e00…

MALICIOUS

PDF

37.6 KB Created: 2020-04-02 15:57:30 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3be52b6f5fbcb0ac3e80a5ccc2f9edad SHA-1: 534895cd05175c9329729a4c8a5666f4b113845a SHA-256: c5ae97f648372e00eeabc52f153063e1420a47d143d7c5d6af11d4ae798f7df7
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to similarly structured URLs on different domains. The document body, though partially corrupted, includes the text 'Que es la calorimetria' and several URLs, suggesting a lure to external content. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links generated for SEO purposes, which is a common tactic for distributing malicious content or driving traffic. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://faicseat.com/uploads/1/3/1/4/131410009/131410009.html#que+es+la+calorimetria
    • http://mineralbeauty.net/uploads/1/3/0/3/130313638/5373dd0d1.pdf
    • http://helenasapartments.com/uploads/1/3/1/0/131070291/8699603.pdf
    • http://ujamaaonline.xyz/uploads/1/3/1/3/131398281/kizox-lijuvepezi-dotedu-lizaboz.pdf
    • http://kingelectricmn.com/uploads/1/3/0/5/130546606/vinijetesozab.pdf
    • http://scienceweavers.com/uploads/1/3/0/9/130969563/8320444.pdf
    • http://foxglowairbrushtanning.com/uploads/1/3/0/5/130551675/xavesuxikijit.pdf
    • http://mta-sts.hope-rx.org/uploads/1/3/0/7/130739326/zuduvolufotul-zenelinefuzo-dowagasepedoduw.pdf
    • http://bakeline.ca/uploads/1/3/0/5/130589228/6260184.pdf
    • http://alalson.info/uploads/1/3/0/6/130622042/bc50b0.pdf
    • http://prolinelifepharmaceutical.com/uploads/1/3/0/4/130436007/pivope.pdf
    • http://pursuantsundew.com/uploads/1/3/0/6/130620909/jamuburonibujawusa.pdf
    • http://mackmccullough.com/uploads/1/3/0/2/130289453/1b1ee9.pdf
    • http://bethelovefoundation.net/uploads/1/3/0/2/130289375/7443607.pdf
    • http://stpaulfbc.org/uploads/1/3/0/5/130541131/zukanajo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006884.bin
35baa3d8bdfb120060fff5068f620bdd79cc1fda9d9ddef789248b4990fca3cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6884 8652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.