PDF malware analysis — malicious · d25be0ef7419ac30

MALICIOUS

PDF

38.7 KB Created: 2020-05-15 21:07:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7a1efdfb328d2012bde2b0cabb929933 SHA-1: fc5e5f1d92dbe7ac9abfe716b96d5383f3fb3303 SHA-256: d25be0ef7419ac302d3936eda415917b118302fec41ee8bd3c6cc95facbdc35c

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of external links, many of which are numerically or generically named and hosted on unrelated domains, indicating a link farm or SEO poisoning tactic. One of the embedded URIs, 'http://carlosdia.com/uploads/1/3/0/5/130547142/130547142.html#lepideauditor+installation+guide', is presented as an installation guide, suggesting a social engineering lure. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests a malicious intent to distribute links, likely to malware or phishing sites.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://carlosdia.com/uploads/1/3/0/5/130547142/130547142.html#lepideauditor+installation+guide
- http://valleybombshells.com/uploads/1/3/0/6/130620796/bbb2c9835c27ad4.pdf
- http://psbypaulo.com/uploads/1/3/1/4/131454178/b508ef5c3ebaae4.pdf
- http://geekytrivia.com/uploads/1/3/0/3/130379423/vewuj-jazesolorufa-soguta.pdf
- http://bratsandbeertravel.com/uploads/1/3/0/2/130289205/6151bacdf11.pdf
- http://resilience-ventures.com/uploads/1/3/1/4/131437612/fofipemowa.pdf
- http://myadventuresintravel.com/uploads/1/3/1/4/131437822/8083481.pdf
- http://christian-perkins.com/uploads/1/3/0/7/130775920/0b2e269c5dcad.pdf
- http://imposterbrothers.com/uploads/1/3/0/8/130813143/7465541.pdf
- http://garbatickets.com/uploads/1/3/0/7/130738593/56d6e.pdf
- http://x-gatecanalgates.com/uploads/1/3/1/4/131437349/vesuvomidi.pdf
- http://edela.net/uploads/1/3/0/6/130620645/2ae0e0c4.pdf
- http://onebitedelights.net/uploads/1/3/0/2/130289662/rurazuvelajij.pdf
- http://kimcampbellrn.com/uploads/1/3/1/1/131164261/3a22896c7ab.pdf
- http://dcmasonicfoundation.com/uploads/1/3/0/3/130323190/resegupuzenumadeleju.pdf
- http://doverorchestra.com/uploads/1/3/0/6/130604564/kanufed.pdf
- http://havinetvzw.com/uploads/1/3/0/4/130477346/gasazajidupu-rokafe-tezosokugonam-jujalezipekawo.pdf
- http://thebookthateveryoneshouldhave.com/uploads/1/3/0/9/130969414/8181679.pdf
- http://lakevillekennel.com/uploads/1/3/0/2/130287279/027a69e40f.pdf
- http://aurorivallentin.com/uploads/1/3/1/3/131380343/8801055.pdf
- http://be-huetet.ch/uploads/1/3/1/4/131453175/1849310.pdf
- http://muskokagolfperformance.com/uploads/1/3/1/4/131407857/8db4a7559.pdf
- http://starsforabettertomorrow.org/uploads/1/3/1/4/131454850/8374864.pdf
- http://fionroux.com/uploads/1/3/1/0/131071183/68849a3f681099.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b39.bin` `2e62c153821c60dbb8e24e15c90b9856ee6e734e387779b6235f496a99c4604f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B39	10428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.