Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfa8de02f94175a3…

MALICIOUS

PDF

48.6 KB Created: 2020-03-27 05:29:29 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7e8ab6b66e65312944cae004b6ff6412 SHA-1: dcd2cc69a41d60d02a545a5b8e4b952d4b2135dd SHA-256: cfa8de02f94175a39b51a5f75aaa5d7441b392fe3e6968319fdc652f47a33a92
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body, though heavily obfuscated, contains references to training material and URLs that appear to be part of a link farm. The heuristic 'PDF_SEO_LINK_FARM' confirms the presence of numerous external links, with the primary host being 'rioathletic.com'. The IOCs listed are the most prominent URLs extracted from the document.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://welloff.marketing/uploads/1/3/1/4/131406610/131406610.html#six+sigma+yellow+belt+training+philippines
    • http://rioathletic.com/uploads/1/3/0/7/130776642/fixexomeris.pdf
    • http://riccinudeart.com/uploads/1/3/0/2/130271211/rapuwiv.pdf
    • http://nodaysoffalthletics.com/uploads/1/3/0/6/130621808/1269778.pdf
    • http://jayseigel.com/uploads/1/3/0/9/130969419/teguwazed.pdf
    • http://soundpreservation.co/uploads/1/3/0/2/130271219/paxuwabawod_sojugifad.pdf
    • http://homegrownplayerdevelopment.com/uploads/1/3/0/4/130483981/ba2eb1b6.pdf
    • http://chucksmithson.com/uploads/1/3/0/6/130621459/8465688.pdf
    • http://fintoro.com/uploads/1/3/0/6/130621108/c99993560.pdf
    • http://mail.sass-and-crafts.com/uploads/1/3/0/7/130740432/zimerotetok_sesusiraw_xilelimegidam.pdf
    • http://thomashartptnc.com/uploads/1/3/0/5/130543772/308ae5db53.pdf
    • http://smgmusicpub.com/uploads/1/3/0/6/130639508/medipowaki_nudolifaka_wetanawili.pdf
    • http://specialfxstyle.com/uploads/1/3/0/5/130550665/vijunekozu_tuzizopisorad_nazofolurujun.pdf
    • http://glamodo.org/uploads/1/3/0/4/130483862/40fa014ca8e72.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d04.bin
eb5326e387b3a834a62a16b5714ef55b1557e895f290c0a438e1dfeb6b223975		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D04 9096 bytes
font_01_sfnt_off00009f6d.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F6D 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.