Malicious PDF — malware analysis report

Static analysis result for SHA-256 d87d6735bc321aec…

MALICIOUS

PDF

38.0 KB Created: 2020-06-05 08:46:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 83bec1ab5f4f5f20e250e704abfdff37 SHA-1: 98a25904222649bf04d7b6cdb375c63d28c59831 SHA-256: d87d6735bc321aecac7a6b00a032a9084ae1e7025b6177544ec42ac8b39a6896
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

This PDF document was generated by wkhtmltopdf and contains a large number of external links, many pointing to PDF files on various domains. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a link farm. The document body contains Turkish text related to watching a movie, suggesting a lure. The primary attack pattern involves redirecting users through this network of links, likely to a malicious site or to distribute further malware. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wheelsfleet.com/uploads/1/3/0/4/130483811/130483811.html#uyumsuzlar+2+t%25C3%25BCrk%25C3%25A7e+dublaj+izle
    • http://heinzbassets.com/uploads/1/3/1/0/131069978/bedozamap.pdf
    • http://my-golu.com/uploads/1/3/0/5/130543991/8293677.pdf
    • http://thermalracing.com/uploads/1/3/0/2/130288391/togupapidemif.pdf
    • http://karolinagoldjrecords.com/uploads/1/3/1/3/131382486/nevezasufewan-japutixulawu-nasomad.pdf
    • http://softutor.com/uploads/1/3/0/4/130488416/bixuwijepizef.pdf
    • http://bagxpressplus.com/uploads/1/3/0/7/130738739/tolefirejafa.pdf
    • http://travisfreshner.com/uploads/1/3/0/8/130814296/d9b82ab6588023.pdf
    • http://hostmaster.andreamariedesign.co.uk/uploads/1/3/0/6/130620877/6521606.pdf
    • http://jhopelpaso.org/uploads/1/3/0/6/130604706/gasap.pdf
    • http://hostmaster.foccm.com/uploads/1/3/1/4/131437107/dafutobebuzifo-pepusizole-butufabunir-goxoluju.pdf
    • http://indianspicytreat.com/uploads/1/3/1/3/131381762/xenuxapenijo.pdf
    • http://wheelsfleet.com/uploads/1/3/0/4/130483811/terms.html
    • http://wheelsfleet.com/uploads/1/3/0/4/130483811/dmca.html
    • http://wheelsfleet.com/uploads/1/3/0/4/130483811/policy.html
    • https://sarujameb211904502.files.wordpress.com/2020/06/xitotovazoxifagu.pdf
    • https://mameloga.files.wordpress.com/2020/06/94122313386.pdf
    • https://fonosusuba.files.wordpress.com/2020/06/tovun.pdf
    • https://zibebuti.files.wordpress.com/2020/06/17212424447.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000626e.bin
b2351d2fd48fa573a48863bf8a7e82815855795f1de204aafd2663504e79b983		 pdf-font-stream PDF embedded font (sfnt) at offset 0x626E 12892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.