PDF malware analysis — malicious · c798631b477cdf2b

MALICIOUS

PDF

33.7 KB Created: 2020-06-06 05:42:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 148bedbe8492aa07f2c5c2c5bef9a059 SHA-1: 07537db8189c3448973b3cce6db1e2de932dbc22 SHA-256: c798631b477cdf2b4c90f869273e00daad3b79c7847137cecb000e07946c689a

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to other PDFs hosted on similar domains. This suggests a link farm or SEO spam tactic designed to drive traffic or host malicious content. The presence of a 'download button' heuristic further supports the idea that the user is being prompted to click through to external resources. No scripts were extracted from this sample.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://discoverelc.com/uploads/1/3/2/3/132303118/132303118.html#irish+bagpipe+ringtones
- http://autodiscover.brasspearlsandpatina.com/uploads/1/3/0/9/130969366/taxukejokeg-pavivubuzu.pdf
- http://thecrazycatlady.org/uploads/1/3/1/0/131071188/7983e.pdf
- http://madisonarearugcleaning.com/uploads/1/3/0/4/130483047/kasirunulege.pdf
- http://ecsmedicine.org/uploads/1/3/1/8/131856641/pofipezev.pdf
- http://romitkumar.com/uploads/1/3/1/0/131070246/2060783.pdf
- http://approvedfhacondos.com/uploads/1/3/0/6/130621818/6696f11f79.pdf
- http://cpanel.mesisamtheethiopianeatery.com/uploads/1/3/0/6/130621589/8f37778e.pdf
- http://joshlemonsfitness.com/uploads/1/3/0/2/130272921/3af2a4512f69a7.pdf
- http://bailemenguojiyuledaili.br3h.com/uploads/1/3/0/6/130622120/xopeja.pdf
- http://thelakecampground.com/uploads/1/3/0/6/130621947/aa2202f.pdf
- http://webdisk.psychologiepraktijktilburg.nl/uploads/1/3/1/1/131164093/01c812171200.pdf
- http://dsmunitedfc.com/uploads/1/3/0/3/130324075/govawexajisu.pdf
- http://future-chefs.com/uploads/1/3/0/3/130323417/bevoguma.pdf
- http://gandrkitchenhardware.com/uploads/1/3/0/5/130541221/e51c5d681ffe563.pdf
- http://discoverelc.com/uploads/1/3/2/3/132303118/terms.html
- http://discoverelc.com/uploads/1/3/2/3/132303118/dmca.html
- http://discoverelc.com/uploads/1/3/2/3/132303118/policy.html
- http://dsmunitedfc.com/uploads/1/3/0/3/1303240
- https://kepiminaje.files.wordpress.com/2020/06/41327813242.pdf
- https://jobajurijemo.files.wordpress.com/2020/06/nomidew.pdf
- https://wixetuti.files.wordpress.com/2020/06/gafap.pdf
- https://vizozada.files.wordpress.com/2020/06/96469592507.pdf
- https://ranojogirufe.files.wordpress.com/2020/06/kotufuge.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000055b8.bin` `c16edcf282d945dda12c5c13ac3424a60bc62b5f8af7300d051ad531c7128c70`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x55B8	10824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.