Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec3aff75b08e1347…

MALICIOUS

PDF

37.9 KB Created: 2020-04-01 12:55:26 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 79bb424ee4ac7e1527c172511e182102 SHA-1: 53c1065e9f111c7cda725cda6d44e8c863cf33fd SHA-256: ec3aff75b08e13478848e27ec4c2401ba0965e0c5e5248fb0e30773ed40edd34
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though heavily obfuscated, contains references to these URLs. The primary purpose appears to be directing users to a network of websites, likely for SEO manipulation or to serve as a gateway to malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vanity-fire.org/uploads/1/3/1/0/131071243/131071243.html#trastorno+negativista+desafiante+terapia+cognitivo+conductual
    • http://representacoesanttunes.com/uploads/1/3/0/2/130291328/jawikageva-nawozetosikomi.pdf
    • http://paulanthonyantiques.com/uploads/1/3/1/0/131071166/271832.pdf
    • http://mctroy.com/uploads/1/3/0/4/130488153/gevukesap.pdf
    • http://erinandfrank.com/uploads/1/3/0/9/130970008/2357436.pdf
    • http://tidewoodart.com/uploads/1/3/1/3/131381542/3579131.pdf
    • http://thuisblijfpapa.com/uploads/1/3/0/2/130270963/3037611.pdf
    • http://thefourthteacher.com/uploads/1/3/0/5/130588590/4b1d9fe3af10d.pdf
    • http://habbouda.com/uploads/1/3/0/4/130477882/7cbbed63f4.pdf
    • http://tibetannightterrors.com/uploads/1/3/0/6/130620826/3a353f30.pdf
    • http://seantraceymusic.com/uploads/1/3/0/6/130604862/323508.pdf
    • http://youareworld.org/uploads/1/3/0/7/130740443/motemejifubapuwebo.pdf
    • http://misoapco.com/uploads/1/3/0/7/130738825/bijiguginuginugunam.pdf
    • http://messagesfromthedivine.org/uploads/1/3/0/5/130588849/280329fde929.pdf
    • http://notaboutmarriage.com/uploads/1/3/0/4/130490786/vurogati-fokelaladotej-vumuvozigetegas.pdf
    • http://30acoolerrentals.com/uploads/1/3/0/7/130739423/bulapobojara.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068f7.bin
a6fdee909b29714cd7c6feb49baabcc07b5138a1ad1035b293efaa93925b6706		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68F7 8508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.