PDF malware analysis — malicious · cd773f20168231db

MALICIOUS

PDF

77.9 KB Created: 2020-04-23 21:17:30 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 5798e4c69f1567a4d2e51a893b424352 SHA-1: de203f9c269e9fb0d3b33b74876a138e906a9c9c SHA-256: cd773f20168231db31d0ed4b83473c29c9b4579bdad65bba084de41718bf8e2c

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The primary purpose appears to be directing users to a large collection of other PDF files, likely for SEO manipulation or to host further malicious content. The embedded URL in the document body also leads to one of these external sites.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://adventuresbyprice.com/uploads/1/3/0/6/130621437/130621437.html#formal+education+meaning+in+marathi
- http://airpnv.biz/uploads/1/3/1/4/131406173/bedogedut.pdf
- http://twolittlepistols.com/uploads/1/3/0/5/130539091/6cc6319fd99c.pdf
- http://rourkelacatholicdiocese.in/uploads/1/3/0/8/130874075/4429745.pdf
- http://mypaircommunity.com/uploads/1/3/0/2/130289494/gelemifewos.pdf
- http://mmgastore.org/uploads/1/3/0/7/130738622/bigaxowigene-wotesozezaku.pdf
- http://crossfitequanimity.com/uploads/1/3/1/3/131381921/a74a0b42ba443.pdf
- http://revyouinc.org/uploads/1/3/0/4/130435622/1843596.pdf
- http://soberaddictpod.com/uploads/1/3/0/2/130288577/5f5af362.pdf
- http://allroundtreeservice.com/uploads/1/3/0/7/130775962/rupisotivezowesi.pdf
- http://yogicbrad.com/uploads/1/3/0/5/130589195/6a5084.pdf
- http://roussey.org/uploads/1/3/1/3/131398560/8026670.pdf
- http://emilyswinford.com/uploads/1/3/1/3/131398259/tibaremiwipa-dexaludenaveko-siripofiza.pdf
- http://befreedesignco.com/uploads/1/3/1/4/131452937/9950051.pdf
- http://ugrowbc.com/uploads/1/3/0/5/130539408/jijiveduxetuto.pdf
- http://noble.sc/uploads/1/3/0/2/130289317/bb3e4f752a2fb1.pdf
- http://www.(12
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000922e.bin` `9e11a7b808c6f077e77637e615a40b7398075e546a890fa14ee372fee823cb52`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x922E	9444 bytes
`font_01_sfnt_off0000abfa.bin` `f4193a8bc96e3a6168658a60e7e49f502b1118e41981503b2f9b8dacbe9c6510`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xABFA	9280 bytes
`font_02_sfnt_off0000cd5f.bin` `0a4fe7dcdb0aa2c6c804f9ed51c43b45bb0c6e00b970b40d3c653b661882163b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xCD5F	2648 bytes
`font_03_sfnt_off0000d6cc.bin` `b251e00b4eea5cbc23adf0180395c4102aea23bcfb5d03ea18ed6a7b261a67d7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD6CC	2008 bytes
`font_04_sfnt_off0000e0bb.bin` `ff1af644dc962a5be747194799e0f8bd3d74f1cca38eaba674c55011d626cf09`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xE0BB	17104 bytes
`font_05_sfnt_off0000f987.bin` `35b807d5ca6548e1116edbcaf9f9ab8b37c2191b8ebe7723b49708e7851538a2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF987	15400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.