PDF malware analysis — malicious · ea6501cad2d5482d

MALICIOUS

PDF

68.2 KB Created: 2020-03-30 09:55:43 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 5a0dd7a234ce4c9f52dbaaed9f4adad5 SHA-1: c41f6edc208898d0094c9d3d74cc0bb5d93db9c9 SHA-256: ea6501cad2d5482dbb9824383ff7cdb1b1dbde4c42df266e57f1a42376fcc89c

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body, though partially corrupted, contains text related to a medical test ('Apprehension test for shoulder instability'), suggesting a lure to disguise the malicious intent. The primary attack pattern involves redirecting users to these external URLs, which likely host further malicious content or phishing pages.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://pameladirnberger.com/uploads/1/3/0/7/130740166/130740166.html#apprehension+test+for+shoulder+instability
- http://eeb4painters.com/uploads/1/3/0/7/130775759/2652fc9145.pdf
- http://ritaamaro.com/uploads/1/3/0/9/130969082/8373278.pdf
- http://cruzfamily.org/uploads/1/3/0/6/130640094/a1f38b73cd0f.pdf
- http://bridalchateaunj.com/uploads/1/3/0/5/130550960/7577753e84a0.pdf
- http://sunderlandcarvalet.online/uploads/1/3/0/3/130313167/levofewazun-wonosuzuxowok-jamepozonu-verosebebo.pdf
- http://sydneypassinea.com/uploads/1/3/0/7/130739081/23be88f0182.pdf
- http://oaespto.com/uploads/1/3/0/2/130291453/wevifojokuwi.pdf
- http://panamacitytreeremoval.com/uploads/1/3/1/1/131164202/5131451.pdf
- http://taxcompetitionui.com/uploads/1/3/0/7/130775342/6448855.pdf
- http://ccreations-flowers.nl/uploads/1/3/0/2/130274146/7c867e88a2690c7.pdf
- http://artrtedsm.com/uploads/1/3/0/3/130323556/e7422dcab4363b.pdf
- http://foosie.store/uploads/1/3/0/6/130605332/9120750.pdf
- http://escaperoomathens.com/uploads/1/3/0/9/130969764/zojifabizoni.pdf
- http://fcusdrama.com/uploads/1/3/1/4/131407815/7763709.pdf
- http://capitoloralsurgery.com/uploads/1/3/0/3/130379294/8110885.pdf
- http://vtpsychologist.com/uploads/1/3/0/3/130313436/4fdf76acc2.pdf
- http://thegroveatkeeble.com/uploads/1/3/0/5/130545698/xilug.pdf
- http://yourcareercompass.net/uploads/1/3/1/1/131164164/wonipotos-femepivufu.pdf
- http://1freshstart.com/uploads/1/3/0/5/130588920/levevizapelaraz.pdf
- http://houstonrealtorleads.com/uploads/1/3/0/3/130323222/jazumuvexagipus-risido-fulipopo.pdf
- http://alonsorios.com/uploads/1/3/0/6/130603939/60d6b40298edd.pdf
- http://jaruantoramirez.com/uploads/1/3/0/4/130435582/defidenelaso.pdf
- http://thephysicscouncil.com/uploads/1/3/0/7/130739098/8ee50893a.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d8e9.bin` `6b1113f22ff6598ee5f3817e78464857be9724957810d6a8f63fff0a988274fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD8E9	8332 bytes
`font_01_sfnt_off0000f8ea.bin` `e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xF8EA	2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.