Malicious PDF — malware analysis report

Static analysis result for SHA-256 e21c478b7dd6080f…

MALICIOUS

PDF

42.8 KB Created: 2020-03-10 12:13:57 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 44c72f79cdfb73e938a37f2169fbb8dd SHA-1: 9ad8e99397d7ba244495a0b7ff793b477b9b5525 SHA-256: e21c478b7dd6080f2400e7670922852c8e2092f4c7f8a848dc63cfac882ccc8c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO manipulation or to distribute malicious content. The document body itself is heavily obfuscated but contains references to URLs that are also present in the heuristics. The primary attack pattern observed is the use of a link farm to direct users to potentially harmful external sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://a1975851xstreamtravel.xsideas.com/uploads/1/3/0/6/130605182/130605182.html#mpk+mini+2+ableton+setup
    • http://www.sheyvettedinkens.com/uploads/1/3/0/6/130620313/felumupoxejes.pdf
    • http://www.greenleafcommunityfarm.com/uploads/1/3/0/4/130435872/4102299.pdf
    • http://lilahbazarte.com/uploads/1/3/0/4/130476732/xukiza.pdf
    • http://oakislandhomeowners.org/uploads/1/3/0/3/130313343/4ca90dc.pdf
    • http://dltpress.com/uploads/1/3/0/6/130620154/sufosawe-lejog-turuguxaf-vimuvabadumop.pdf
    • http://www.motorkledingstyling.nl/uploads/1/3/0/6/130603891/waribatefasa.pdf
    • http://weddingnowvegas.com/uploads/1/3/0/2/130289776/2647726.pdf
    • http://collegelinkedin.com/uploads/1/3/0/3/130313786/kifamisolod.pdf
    • http://mothershelpingmothers.net/uploads/1/3/0/5/130543346/jixar.pdf
    • http://judgederek.com/uploads/1/3/0/6/130603882/levolojaruw-kulawimotogeb-sorizapoda-zitelebaluzova.pdf
    • http://life-simplified.org/uploads/1/3/0/7/130738550/tojifejagu_lidamaruvav_bizuzava_zugetobipusida.pdf
    • http://cirm-math.org/uploads/1/3/0/5/130543543/gerawid.pdf
    • http://www.ashleysmith20.com/uploads/1/3/0/6/130621524/154ffe6326241.pdf
    • http://www.charlotteshope.net/uploads/1/3/0/9/130969616/aed1443.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a47.bin
26e9f3cc50720162059aecc3a72256627bb19d40717bcbe73072c1c815f8b843		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A47 7228 bytes
font_01_sfnt_off000086d9.bin
50dc865112b31b8628c9170d82daeefa18b8227744a71909c0440548ffdcd4ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86D9 16132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.