Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6dfcaeb3e975486…

MALICIOUS

PDF

39.6 KB Created: 2020-03-16 06:21:11 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6943349fd9546af2644430c6bbd49c80 SHA-1: 4ab82b67adf34117b2496d2cd0e4db7e3a064436 SHA-256: d6dfcaeb3e975486c5d188dbacbf07a4b0ab1992981dad81f798ba4f85046fb2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

This PDF document exhibits characteristics of a link farm or SEO spam, embedding a large number of external URLs. The primary heuristic firing indicates a mass of external PDF links, suggesting a tactic to manipulate search engine results or distribute further malicious content. The document body contains keywords like 'Pokemon 3ds emulator free' which may serve as lures. No scripts were extracted, and the maliciousness appears to stem from the distribution of external links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pbjconstructionllc.com/uploads/1/3/0/3/130324167/130324167.html#pokemon+3ds+emulator++free
    • http://watkinsprofessional.com/uploads/1/3/0/6/130604492/xaroba.pdf
    • http://server12346.ice-spot.com/uploads/1/3/0/7/130739480/3814097.pdf
    • http://mytourphone.com/uploads/1/3/0/5/130545565/vorubugifowude_rexesut_lesaj.pdf
    • http://thecontroversy.org/uploads/1/3/0/6/130620483/zotifiv.pdf
    • http://msmaco.com/uploads/1/3/0/6/130605442/5804113.pdf
    • http://michellentherapy.com/uploads/1/3/0/5/130590535/xubotamomer.pdf
    • http://treelineproperty.ca/uploads/1/3/0/4/130479082/biteb.pdf
    • http://atoz2019.ca/uploads/1/3/0/7/130739343/zidij.pdf
    • http://fashionitaly.net/uploads/1/3/0/7/130776054/3988425.pdf
    • http://homeschoolsped.com/uploads/1/3/0/8/130874220/xezaposelodinupaj.pdf
    • http://csmmttaiwin.com/uploads/1/3/0/5/130588984/gezoxim-xalikisipe-ruximerile-dulizuwisuwav.pdf
    • http://musicmash.ca/uploads/1/3/0/7/130775522/be3f1c6aa8.pdf
    • http://thebaliqueen.com/uploads/1/3/0/6/130604863/6957393.pdf
    • http://paraviontheory.com/uploads/1/3/0/3/130379479/54da89781d1e7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071bd.bin
caf4c914551e8d21eff3ecbb456ecc74071d1220d4c8280688c24025431bda1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71BD 8284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.