Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6c7eea4658ad6d3…

MALICIOUS

PDF

36.4 KB Created: 2020-06-06 18:44:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3ec0ac676a8253aa1640691fb0151988 SHA-1: ebd30c2f079cc583058f958af4107a74e7a9275d SHA-256: d6c7eea4658ad6d3a06bffdc1eb3ef7cb1a1e18c3d6fc76a4e3eefc3eb72092e
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The document body is largely garbled but contains several URLs that are also listed in the heuristics. The primary attack pattern appears to be a link farm designed to redirect users to numerous other sites, potentially for SEO manipulation or to host further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://0jeyt.slpny.com/uploads/1/3/0/8/130873787/130873787.html#club+para+secundaria
    • http://privatesmtp.inhotel.co.uk/uploads/1/3/0/6/130621361/belokipuxajuga.pdf
    • http://teenresource5.org/uploads/1/3/0/4/130435622/a73fabc8428cee8.pdf
    • http://rebeccasmithinc.com/uploads/1/3/0/7/130775195/zaxixotagerowis_lowalepuzasuket.pdf
    • http://renzoeats.com/uploads/1/3/1/3/131378837/4731635.pdf
    • http://mail.heizungs-notdienst.com/uploads/1/3/0/3/130323998/bilal_xuvati.pdf
    • http://mail.villasundream.ch/uploads/1/3/0/7/130739577/morejipiv_rolipu_mutip.pdf
    • http://frankencottage.com/uploads/1/3/0/6/130605071/702364.pdf
    • http://mail.michaelmaguire.com.au/uploads/1/3/0/5/130551585/loneragemirisus_koselofoduruti_zupiwefulimixit.pdf
    • http://kanishkasukumar.com/uploads/1/3/1/6/131607164/fff096.pdf
    • http://0jeyt.slpny.com/uploads/1/3/0/8/130873787/terms.html
    • http://0jeyt.slpny.com/uploads/1/3/0/8/130873787/dmca.html
    • http://0jeyt.slpny.com/uploads/1/3/0/8/130873787/policy.html
    • https://rafuzakaxoru.files.wordpress.com/2020/06/29697932915.pdf
    • https://rumewuko.files.wordpress.com/2020/06/19723337599.pdf
    • https://ruletiw.files.wordpress.com/2020/06/wuzarujigodizinagawo.pdf
    • https://larogorogu.files.wordpress.com/2020/06/45219702222.pdf
    • https://goduduwatike.files.wordpress.com/2020/06/vatizefatikorumasaboji.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006211.bin
27f020805297545c5b9a33ca02d44004ceba99ae0f313bc6625b30e7650c95d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6211 10912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.