Malicious PDF — malware analysis report

Static analysis result for SHA-256 c62e88455a254e50…

MALICIOUS

PDF

39.1 KB Created: 2020-04-02 02:32:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8e3d172001e58a52aba4a02ef0c4e48a SHA-1: cdaa12080ce8ab276c6854b6bdb14072c5ec1efc SHA-256: c62e88455a254e50fad312c288033a66f3cf9f4b80f946359da0a05ecdc6d368
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files hosted on various domains. The document body text is minimal and appears to be a lure to encourage users to click on these links. The primary heuristic indicates a PDF link farm, suggesting the document's purpose is to drive traffic to these external sites, likely for SEO manipulation or to host further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://universecollision.com/uploads/1/3/0/7/130739549/130739549.html#cual+es+la+diferencia+entre+objetivo+especifico+y+general
    • http://cashforyourstrips.com/uploads/1/3/0/2/130289690/ravufiveno.pdf
    • http://cookeryacademy.net/uploads/1/3/0/2/130289295/2162367.pdf
    • http://frankteran.com/uploads/1/3/0/6/130620778/9079968.pdf
    • http://stonelanternhouse.com/uploads/1/3/0/2/130272424/duteregobananin.pdf
    • http://coolbreezeapartments.com/uploads/1/3/1/4/131406532/48489.pdf
    • http://caymanislandstoursandtransportation.com/uploads/1/3/1/3/131384374/20a07.pdf
    • http://clarkeashton.com/uploads/1/3/0/7/130738615/409340.pdf
    • http://bennettdaltonlaw.com/uploads/1/3/0/2/130271094/1636d.pdf
    • http://lamas.digital/uploads/1/3/0/7/130775647/zosikidivifiv.pdf
    • http://savonfraiche.com/uploads/1/3/0/5/130590279/lulemobupelim_mutarine_zaloza.pdf
    • http://afunctionalbody.com/uploads/1/3/0/6/130604355/3c443f2fc0784.pdf
    • http://www.transmac.nl/uploads/1/3/0/6/130639099/24c5fe48b0c.pdf
    • http://mass-awma.net/uploads/1/3/0/2/130289233/3177845.pdf
    • http://nrdiamondclub.org/uploads/1/3/0/2/130288798/821208001fc600.pdf
    • http://stitcheswithluv.com/uploads/1/3/0/7/130776219/bisijew.pdf
    • http://saltydogs.ca/uploads/1/3/0/8/130813898/3135445.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d57.bin
07b8993a6fba3723ce525ac17781e3cb097ceff06931ac92a7551125302abf95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D57 8636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.