Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddf6f143622dfa0e…

MALICIOUS

PDF

131.5 KB Created: 2020-03-29 10:46:21 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 539f1276ce07e80bc7e5a1e9c95e104e SHA-1: 405c216ee9c58d3df6c8431bc708f0301827dad4 SHA-256: ddf6f143622dfa0ef3e1d77008548589985b729b83ace1a49f191c55f8ceeecb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Gather Victim Identity Information T1204 Malicious Link

The PDF contains a significant number of external links pointing to various domains, indicating a link farm strategy. The primary heuristic firing suggests this is a 'PDF_SEO_LINK_FARM' designed to generate traffic or distribute content. The embedded document body text is heavily garbled, but the presence of URLs and the heuristic firings strongly suggest a malicious intent to redirect users to a network of potentially harmful sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://afaparents.org/uploads/1/3/0/7/130739779/130739779.html#estad%C3%ADstica+para+ingenieros+y+cient%C3%ADficos+navidi+pdf
    • http://debtrockets.com/uploads/1/3/0/5/130546717/pinajexakimix.pdf
    • http://blindingwindows.co.uk/uploads/1/3/0/7/130738596/8047f01a.pdf
    • http://daradias.com/uploads/1/3/0/2/130289304/movulo.pdf
    • http://revengetour.club/uploads/1/3/0/6/130621523/2588278.pdf
    • http://www.shopmanzi.com/uploads/1/3/0/7/130776312/doripomaxefatowofum.pdf
    • http://holdsworthfamily.com/uploads/1/3/1/0/131070334/jidazanujowuvu_wofonunupa_boranamolubog.pdf
    • http://suekodress.com/uploads/1/3/0/6/130604552/weritufu-bugojol-figojegonip.pdf
    • http://binghamtontherapyworks.com/uploads/1/3/0/4/130483863/7070610.pdf
    • http://aelitasattic.com/uploads/1/3/0/6/130605120/ec6aed3ed8bcb.pdf
    • http://www.hiltonguatemalahotel.com/uploads/1/3/0/7/130739159/1a763.pdf
    • http://skylinedc.org/uploads/1/3/0/2/130287847/532351.pdf
    • http://luxxellierealtors.com/uploads/1/3/0/5/130545011/1219c6a274.pdf
    • http://hueesports.com/uploads/1/3/0/3/130323765/toroli_janonu_kimugesodutaj_vomufurerave.pdf
    • http://karenruane.co.uk/uploads/1/3/0/6/130604528/f2d527c8941.pdf
    • http://millikenentertainment.net/uploads/1/3/0/4/130476214/2518584.pdf
    • http://ajochinger.org/uploads/1/3/0/5/130588319/25548b.pdf
    • http://dmc-usmf.com/uploads/1/3/0/7/130739956/6d9ebe.pdf
    • http://www.californians-care.net/uploads/1/3/1/1/131164552/folita-pisuzuriwepe-vetobajizipov-polosewulajez.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001afc7.bin
43b61f63446f4d4503984daa2bb2fe788c1d9d5aacbdc826bc30fc260c18ec9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AFC7 11920 bytes
font_01_sfnt_off0001d8dc.bin
d8e5be762bc776688aa96032f2100997fba3b006e15362ae4f15cf9b59a663d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D8DC 3132 bytes
font_02_sfnt_off0001e3d7.bin
448c1a4767686e91add6d45cb0435d2542112593eea8b80b0c565ad679f4c9a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E3D7 16836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.