Malicious PDF — malware analysis report

Static analysis result for SHA-256 db373168a72ba95b…

MALICIOUS

PDF

43.0 KB Created: 2020-06-17 21:59:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9409932bd101a4fe344de0ac902d70e4 SHA-1: 6f2e62fd8912449f6d2e20595ac7035d79a4c1d1 SHA-256: db373168a72ba95b8ac0a78a88ab34d8d35bd4e56821f3915eae8d6e6e38f35e
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF contains embedded JavaScript and a large number of external links, indicating a malicious intent to redirect users. The critical heuristic firing for 'PDF_SEO_LINK_FARM' strongly suggests this is a link farm designed to manipulate search engine results or lead users to malicious sites. The embedded JavaScript likely facilitates this redirection or further malicious activity. The document body text is largely unreadable binary data, providing no direct clues to the lure.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://carolinasoulco.com/uploads/1/3/1/4/131407293/131407293.html#passive+exercise+machine
    • http://thearcgroupllc.com/uploads/1/3/0/6/130604604/depipolexu-wuranirutugowe-puvozubebotig.pdf
    • http://mail.imagenationfilm.de/uploads/1/3/0/2/130272470/4553727.pdf
    • http://activepropertyfinance.com/uploads/1/3/0/3/130379192/00ba9.pdf
    • http://abatsportsinjuryclinic.com/uploads/1/3/0/7/130775403/digemifen_tilupiz.pdf
    • http://cpcontacts.therapie-pezzettino.nl/uploads/1/3/0/8/130874326/wagupesegomojok-bomuzezaj.pdf
    • http://emilydelbridge.com/uploads/1/3/0/2/130291908/rawox.pdf
    • http://rust-amsterdam.com/uploads/1/3/2/3/132302942/3ae395f1c201c.pdf
    • http://brainbrandllc.com/uploads/1/3/0/7/130739817/4557845.pdf
    • http://daree2be.com/uploads/1/3/1/3/131380029/3d2153.pdf
    • http://parkwaypropertyservices.com/uploads/1/3/1/8/131856244/korub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cfa.bin
8ff58c75f9b5d20bc36cd2419d4d6ae926c4167ea9073037e10d27ef3052d410		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CFA 4736 bytes
font_01_sfnt_off00007cd0.bin
882f8065c30bd0f936ae76be4438cac649ad2945cb517d70a116dfa358e0b4b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CD0 10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.