Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce0d70ac551488d3…

MALICIOUS

PDF

29.9 KB Created: 2020-06-10 10:33:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46600d4c1c0c13f51c400de2b5f3ca5d SHA-1: 6894118464f47c217f5982794a3bb93bc077f89e SHA-256: ce0d70ac551488d3370bd48a7712eeab824769991ef67ecece9586381af3c7d3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body text, though partially corrupted, includes references to URLs that are also present in the extracted URL list. This suggests a tactic to drive traffic to potentially malicious or deceptive websites, possibly for SEO poisoning or phishing.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webmail.highlandfairview.com/uploads/1/3/1/4/131411078/131411078.html#palme+11.+s%25C4%25B1n%25C4%25B1f+kimya+fen
    • http://myparadisetravel.net/uploads/1/3/0/5/130543941/2651792.pdf
    • http://fionaheart.org/uploads/1/3/0/5/130588533/3988344.pdf
    • http://pretendtheatre.com/uploads/1/3/0/5/130590312/9263089.pdf
    • https://dulikowisu.files.wordpress.com/2020/06/wulamiwimadipewuku.pdf
    • https://xefudud.files.wordpress.com/2020/06/povotokinupapejo.pdf
    • https://xitabomoxe.files.wordpress.com/2020/06/80202245725.pdf
    • https://vikukixiv.files.wordpress.com/2020/06/54730075472.pdf
    • https://vofewutuwoge.files.wordpress.com/2020/06/rojusigewuweb.pdf
    • https://letajesuki.files.wordpress.com/2020/06/juseroxeti.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047e9.bin
2a81e703b97b2130dfea3952cc8ca7d4027b377f0ebc62da8f3f7bd811173284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47E9 10772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.