Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcce9292dc92e9ba…

MALICIOUS

PDF

34.9 KB Created: 2020-03-29 12:32:13 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 57782fc0ca3fa11540cb08ca5c041dff SHA-1: 53dcae9ae9178053a8d08efa671b647895466ed7 SHA-256: dcce9292dc92e9ba54ce904eaf5006a9abb2ea33dc17e822e88f7eb1c5f556c7
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links pointing to various domains, a technique often used for SEO spam or to distribute further malicious content. The heuristic 'PDF_SEO_LINK_FARM' strongly indicates this malicious intent. The document body itself is heavily obfuscated and contains garbled text, but the presence of URLs like 'http://nicolitulk.com.au/uploads/1/3/0/5/130589312/130589312.html#biblia+vulgata+latina+espa%C3%B1ol+pdf' and numerous others suggests a lure to external resources.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nicolitulk.com.au/uploads/1/3/0/5/130589312/130589312.html#biblia+vulgata+latina+espa%C3%B1ol+pdf
    • http://clairebunker.com/uploads/1/3/0/7/130740368/11d93.pdf
    • http://efmlufkintx.org/uploads/1/3/0/2/130272070/vepogasi.pdf
    • http://easttampa2461.com/uploads/1/3/0/5/130590682/6542457.pdf
    • http://jessupart.com/uploads/1/3/0/7/130776693/tuvafaripaluw-valomemikibaviw-fimejajarojif.pdf
    • http://webdisk.thollfence.com/uploads/1/3/0/7/130739120/pozovomomalatub.pdf
    • http://urbanaffluence.co/uploads/1/3/0/5/130551262/3084270.pdf
    • http://dgh.nyc/uploads/1/3/0/4/130476150/banuparupuli.pdf
    • http://golattice.org/uploads/1/3/0/2/130287266/4192088.pdf
    • http://inspolist.com/uploads/1/3/0/7/130775786/nuribus-kesidafe-gatoxojame-kosaserufukide.pdf
    • http://sbc-ns.ca/uploads/1/3/0/7/130740118/6997881.pdf
    • http://drminnich.com/uploads/1/3/0/6/130639966/sowed.pdf
    • http://buttaflygroup.com/uploads/1/3/0/2/130272254/4696856.pdf
    • http://laboutiqueunique.com/uploads/1/3/0/7/130776008/tunalozed.pdf
    • http://totaltherapeuticsmayfair.com/uploads/1/3/0/5/130551433/7018888.pdf
    • http://borntosend.com/uploads/1/3/0/6/130621597/foxedodupikiwobunar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005df9.bin
2e0e83fe5ac2cc5beb5c13e6544bd1aab5445e3d806c99cbac37decdc1bdbc3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DF9 9164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.