Malicious PDF — malware analysis report

Static analysis result for SHA-256 e97a92f80e9b72d1…

MALICIOUS

PDF

51.8 KB Created: 2020-04-01 15:00:22 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 59f3a31756c8e5a4585c1608c9fd26de SHA-1: 7730b790c7ca13e92281df57213ac7ae18810bfc SHA-256: e97a92f80e9b72d1e8e114dd4ae79d9d8ddf5d445733790b47d3c62428be289c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO spam campaign. The document body is heavily obfuscated and contains some of the same URLs, reinforcing the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ressortissantsnguiguiss.org/uploads/1/3/0/6/130639269/130639269.html#tipo+de+enlace+quimico+del+cloruro+de+potasio
    • http://lienfruits.net/uploads/1/3/0/8/130874318/04eb7c.pdf
    • http://tbsbyjmeon.com/uploads/1/3/0/9/130969458/visivegarujud_nogetubesadoku_kepemani.pdf
    • http://alfredocarrizo.com/uploads/1/3/0/4/130435937/luxarunejusoruluvig.pdf
    • http://swimleftlabs.com/uploads/1/3/0/6/130604550/1a023988.pdf
    • http://toys4ucy.com/uploads/1/3/0/7/130740440/aaf61ce0c22.pdf
    • http://replenishmysoul.com/uploads/1/3/0/5/130542936/a5a16.pdf
    • http://wardogsremembered.org/uploads/1/3/0/3/130313741/juvefemapopoju.pdf
    • http://stevierice.com/uploads/1/3/0/5/130589313/rupuzapujuxud.pdf
    • http://faceup.guru/uploads/1/3/0/8/130814467/lemajotuwizoxurepi.pdf
    • http://lfsporthorses.com/uploads/1/3/1/4/131453132/1474296.pdf
    • http://movimientomexicano2018.org/uploads/1/3/0/3/130324206/2980113.pdf
    • http://cheerfundamentals.com/uploads/1/3/0/5/130550915/gumexokujelem.pdf
    • http://uwsc.eu/uploads/1/3/1/3/131380284/ranevidamawiniwo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000880b.bin
e33a8a9d3351a59a911094e68d721a4eacc2a1a42a9db86c2b77e0db23517267		 pdf-font-stream PDF embedded font (sfnt) at offset 0x880B 2128 bytes
font_01_sfnt_off0000915b.bin
3977d003de4a4baa4da9431d2fc3cba272c15ac93f9980892e8fd930502871c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x915B 9316 bytes
font_02_sfnt_off0000b272.bin
885781ec91db75dc8c4a6a3d3dac0324bdfdb8f2239dab70466c62035ae072da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB272 4144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.