Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfef5c403bb3195b…

MALICIOUS

PDF

47.6 KB Created: 2020-03-29 04:58:23 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6fa4ed93bb31d115af69b7759c462d20 SHA-1: 45cf34c871d9fbcff8fb657638a98dd47fa3da2a SHA-256: cfef5c403bb3195b36bb02b7ccf2f560023fef6b2736d341910171f2abe69464
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, a technique often used to create SEO link farms. The primary lure appears to be a document titled '10 ejemplos de suma resta multiplicacion y division de polinomios', which redirects to a network of similarly structured PDF files hosted on various domains. This suggests a campaign focused on manipulating search engine results or driving traffic to malicious content through a link farm strategy.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ssmonogramsonline.com/uploads/1/3/0/5/130589302/130589302.html#10+ejemplos+de+suma+resta+multiplicacion+y+division+de+polinomios
    • http://www.doingourparteclectically.com/uploads/1/3/0/7/130738631/4ab8b33ea57a6.pdf
    • http://m.lauragilliom.com/uploads/1/3/0/8/130814011/6992654.pdf
    • http://german-warriors.net/uploads/1/3/0/3/130379492/ae703475bf91c9c.pdf
    • http://winkwhale.com/uploads/1/3/0/8/130813999/xufeki.pdf
    • http://7704617627.com/uploads/1/3/0/2/130289392/jukulipop.pdf
    • http://nsfaphs.org/uploads/1/3/0/2/130272369/367c3dbb822d59.pdf
    • http://www.thefishermansoutfitter.com/uploads/1/3/0/7/130739758/29ac2aaa0ba607.pdf
    • http://sheslimes.com/uploads/1/3/0/7/130739037/96e8530981e7c6.pdf
    • http://opensolpro.com/uploads/1/3/0/4/130476348/rasakibikisun.pdf
    • http://autodiscover.2wolvesinc.com/uploads/1/3/0/7/130739962/4523156.pdf
    • http://sarniantiling.com/uploads/1/3/0/4/130435959/c07bc.pdf
    • http://myentelechy.com/uploads/1/3/0/6/130639214/ae07697a8c9.pdf
    • http://brookecandrian.com/uploads/1/3/0/7/130739048/jezasonoxalago.pdf
    • http://norcalboxlax.com/uploads/1/3/0/3/130323180/0fa5254f.pdf
    • http://thenaturalorderstore.net/uploads/1/3/0/7/130738974/mawori-merukamusemodo-dogunis-midis.pdf
    • http://almostasecondgrader.com/uploads/1/3/0/6/130604923/7bf99.pdf
    • http://mikevaproduction.com/uploads/1/3/0/6/130604576/164116279a450.pdf
    • http://hostmaster.leonidadefilippi.it/uploads/1/3/0/4/130490019/lumewuj.pdf
    • http://edumorethailand.com/uploads/1/3/0/8/130814070/beacf60a.pdf
    • http://www.juicespancakelounge.com/uploads/1/3/0/4/130436050/novinoxemijavub_barimap_naredexaxomi_rafuniw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007726.bin
d2cefccec595430adaaac04beb12fe97dea0010e9f1e22be03fa60ba3eaa6f0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7726 9136 bytes
font_01_sfnt_off0000989b.bin
19b3275977330ac3ccb9620a693a94e951843036533779dfd3c6e2a395b003ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x989B 16152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.