Malicious PDF — malware analysis report

Static analysis result for SHA-256 e815560f9a08e56a…

MALICIOUS

PDF

28.6 KB Created: 2020-06-15 00:26:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7670cf1527e50f7d6ab56427428e2924 SHA-1: 3c372cdbf018c9cdc4f2b264fa126190972d18cc SHA-256: e815560f9a08e56ac881de23af8bbd49b7c02f9702673418ee08b0a2689a6cad
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to a heuristic firing for a PDF link farm. This indicates the document is likely part of a scheme to distribute malicious content or manipulate search engine results. The document body contains numerous URLs, several of which are hosted on suspicious domains and are likely intended to lead users to malicious sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://addressfox.com/uploads/1/3/0/4/130476112/130476112.html#montague+convection+oven+manual
    • http://4hwesternheritageproject.org/uploads/1/3/0/2/130292148/dekidum-mikujizove-lebugul-bujerupojewana.pdf
    • http://adkrobinson.com/uploads/1/3/0/7/130776452/xiseziwe.pdf
    • http://merlinsteel.com/uploads/1/3/0/5/130540402/wipemowaxide.pdf
    • https://bibulegil.files.wordpress.com/2020/06/zutiruxidajodisegejafer.pdf
    • https://ruzulujaso535019409.files.wordpress.com/2020/06/bupijikeboburitaroxo.pdf
    • https://desopipo.files.wordpress.com/2020/06/96481228809.pdf
    • https://jifarilu.files.wordpress.com/2020/06/xozomiwebavikeb.pdf
    • https://bobalakuz.files.wordpress.com/2020/06/supijolupevuvuvoramudales.pdf
    • https://xavodurumumo.files.wordpress.com/2020/06/zuzefodoteji.pdf
    • https://nexusif135210665.files.wordpress.com/2020/06/55109291790.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046da.bin
11b303a6a38a2d751c46defcc9501cdfa4a946742b60605a0abfbdcb6a94745e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46DA 9548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.