Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc2d0df2f0c82e8c…

MALICIOUS

PDF

87.1 KB Created: 2020-04-08 14:54:26 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4f10335e123082dc8d6d0b7a9080d895 SHA-1: 1fa64718645e597a4dc3ff5dbc8a4e330c38b482 SHA-256: dc2d0df2f0c82e8c62eaaf3361ac3cee2350ad7bd0084ab1b820a4142418bfb0
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body, though partially corrupted, includes a URL that appears to be part of this link farm. This suggests the primary purpose is to redirect users to potentially malicious or unwanted content hosted on these external sites, likely for SEO manipulation or to serve as a landing page for further attacks.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://buyorsellyours.com/uploads/1/3/0/7/130775879/130775879.html#in+the+heights+movie+2020+rating
    • http://ettcdetail.com/uploads/1/3/1/4/131453706/jajeritojakavujamuba.pdf
    • http://kvacommerce.com/uploads/1/3/0/7/130738984/556c217c8.pdf
    • http://sonomarincounseling.com/uploads/1/3/1/4/131437832/bimadilobemewigil.pdf
    • http://vv-nf.no/uploads/1/3/0/7/130739298/nibinola-bugevejekulebe.pdf
    • http://divinechild1969.com/uploads/1/3/0/5/130546657/daee3eba017e9f.pdf
    • http://365biztransform.com/uploads/1/3/1/4/131407565/aa6f55baf7f8.pdf
    • http://spanishpropertyagents.com/uploads/1/3/0/5/130590637/dikuluw.pdf
    • http://shopsweven.com/uploads/1/3/0/5/130545537/b0300985fd52.pdf
    • http://fifafifa55.com/uploads/1/3/1/4/131438510/afe12e3cd837d8.pdf
    • http://kylestevenanderson.com/uploads/1/3/0/8/130874067/kipagabitum.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010b4a.bin
0c56bbdb4a53b57a907239bfd8fdb5e03d141472e651c85c2e3b38e399cb5fd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B4A 10488 bytes
font_01_sfnt_off00012ff5.bin
656a56f16e5d9e5a0e882726c1b175962a8b6bca0c03da9929f39b8820e207c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FF5 9748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.