Malicious PDF — malware analysis report

Static analysis result for SHA-256 d70d9878957bbfd0…

MALICIOUS

PDF

35.0 KB Created: 2020-04-08 04:40:14 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9f29a7da6176e6a13eab0536621c3212 SHA-1: f65058eded3fe85eec214a08af6f40323fb2b9b4 SHA-256: d70d9878957bbfd09312a11ae1fdcf60c5117982a4738cc0a60255364595af70
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF contains a large number of external links to other PDF files, indicating a link farm or SEO spamming operation. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests this malicious intent. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic further supports the idea that the document is designed to trick users into clicking links. No scripts were extracted from this sample, limiting the analysis of direct payload delivery.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lipglossmarketing.com/uploads/1/3/0/6/130621941/130621941.html#hornady+6.5+creedmoor+trim+length
    • http://wowcreativetouch.com/uploads/1/3/0/2/130289784/3e89ada5e1dad.pdf
    • http://n80090.com/uploads/1/3/0/6/130639409/7870926.pdf
    • http://phonesavers.ca/uploads/1/3/0/8/130813797/ruxukefukosekus.pdf
    • http://1vwc.com/uploads/1/3/0/4/130483956/7674741.pdf
    • http://cubcreekheating.com/uploads/1/3/0/4/130435622/9536445.pdf
    • http://oldcitychalkandsign.com/uploads/1/3/1/4/131482881/jezuzew-mebisutowipom.pdf
    • http://2001silveradoz71.com/uploads/1/3/0/5/130538866/denonozutijigigedol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000608e.bin
e9b9e017d0a1d715398f4237d8028220dc57987ace923aa88b4d2695bbd05872		 pdf-font-stream PDF embedded font (sfnt) at offset 0x608E 7908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.