Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea5c3961f3a0a23e…

MALICIOUS

PDF

53.5 KB Created: 2020-03-12 06:52:23 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 94811d3e4db94a20c4e992d65097599d SHA-1: 00ea180512ef913c9f88ae1262c7a660001b2f8a SHA-256: ea5c3961f3a0a23e0ae2a65d902cd98bb6b87bf71d65a442d11deee99d01f3ba
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, forming a link farm. The primary URL points to a page that itself contains numerous links to other PDF files hosted on various domains. This suggests a tactic to distribute malicious content or SEO spam across many sites. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://i94wdqna.brdge.org/uploads/1/3/0/8/130815137/130815137.html#mapa+mudo+politico+de+america+para+imprimir
    • http://shepherdsview.org/uploads/1/3/0/5/130539046/8534809.pdf
    • http://jperealty.com/uploads/1/3/0/5/130543141/razukubapedika.pdf
    • http://washingtoncyclisme.com/uploads/1/3/0/6/130621203/8c6e380011.pdf
    • http://whitneyoralsurgery.net/uploads/1/3/0/4/130436513/refawupovog.pdf
    • http://johncochranartwork.com/uploads/1/3/0/6/130621305/zibowose.pdf
    • http://datasimplicitylabs.com/uploads/1/3/0/6/130605462/varisinobowil_jaterusewe.pdf
    • http://shawnsealer.com/uploads/1/3/0/5/130589381/lomarozagataver.pdf
    • http://standforking.com/uploads/1/3/0/5/130540046/da9a6461.pdf
    • http://pxrministries.org/uploads/1/3/0/7/130739697/vesisuberituma.pdf
    • http://localhost.christking.org/uploads/1/3/0/2/130289793/5074164.pdf
    • http://www.ryanjmcvay.com/uploads/1/3/0/2/130274076/pisokolugijigas-zosubifewer.pdf
    • http://tonyvu.io/uploads/1/3/0/4/130488370/nulos-roxisijozabinar-liwavapabe.pdf
    • http://autodiscover.oversightconsult.com/uploads/1/3/0/3/130313590/6597672.pdf
    • http://74-123-78-146.mgwnet.com/uploads/1/3/0/9/130970016/kuxejig-losugotidav-katijifal.pdf
    • http://autodiscover.callyfarr.ca/uploads/1/3/0/7/130739264/5a2cba3d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b04.bin
399d382cc16015272a2ab0f94435d5ce0ac48dfa3a2e3bdfff8ad2bc39b70e78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B04 10180 bytes
font_01_sfnt_off00008de7.bin
b690150ea62f439655b4efa18c5588cd39df9dc3f36e087faf1c8c16d3fcbbf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DE7 4808 bytes
font_02_sfnt_off00009d60.bin
f962d1bf3fcaf8a75fbef37bf4396b8e7490ad5b98475d95e41ea7609c12e1b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D60 16684 bytes
font_03_sfnt_off0000b47b.bin
4d2650191318e8fd439df5003fc9a59485bf31816a31a5f9d83c20b9fc7d82ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB47B 6620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.