Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec8029744991228e…

MALICIOUS

PDF

40.6 KB Created: 2020-03-25 05:30:07 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6d6c3ac2824a4a10a11a9bd7b2613c23 SHA-1: 1bf8def915b654e69add2dd1a67c8d44e9969aff SHA-256: ec8029744991228e68d65f066d4b832004a3d3765e44864b5a4cf82f9b4e316a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are numerically or generically named, suggesting a link farm or SEO spam campaign. The document body, though heavily obfuscated, contains a URL that appears to be a lure related to 'Stihl fs 55 rc parts diagram'. The presence of numerous PDF links hosted on various domains indicates a coordinated effort to drive traffic to these external sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mynaturalhairspa.com/uploads/1/3/1/3/131383943/131383943.html#stihl+fs+55+rc+parts+diagram
    • http://oakmonthistory.com/uploads/1/3/0/7/130776381/bafax-pefew-jenur.pdf
    • http://soshello.com/uploads/1/3/0/5/130539113/b740f1bc5.pdf
    • http://www.carveboard.com/uploads/1/3/0/5/130551258/9737744.pdf
    • http://www.homemadeuniquecards.com/uploads/1/3/0/2/130289063/nerasoka_nupuligada_gukakixamatade.pdf
    • http://noniecabrera.com/uploads/1/3/0/3/130323187/dufosujemurit-mesadupute.pdf
    • http://medecinesbizarres.net/uploads/1/3/0/5/130539021/782101.pdf
    • http://www.mynicko.com/uploads/1/3/0/8/130814343/rufiduxe.pdf
    • http://frisco-auto-detailing.com/uploads/1/3/0/6/130621025/75c872.pdf
    • http://hsearchsolutions.com/uploads/1/3/1/0/131070612/84ce98ae29.pdf
    • http://yaimeh.net/uploads/1/3/0/8/130815115/d650b48.pdf
    • http://cbtcounsellingpsychotherapy.com/uploads/1/3/1/1/131164318/3e46cbc11d9.pdf
    • http://businessconnectbcbc.com/uploads/1/3/0/5/130540280/6301759.pdf
    • http://saveyourlocalseafood.com/uploads/1/3/0/4/130483132/4d5c69.pdf
    • http://carsforfood.com/uploads/1/3/0/3/130379651/rutemido.pdf
    • http://www.livingthesummit.com/uploads/1/3/0/9/130969594/751f9fb2c2ad.pdf
    • http://www.sparkcardgame.com/uploads/1/3/0/2/130289779/bulere_gopenekedusudug_dubikorifavu.pdf
    • http://www.csj-msstate.com/uploads/1/3/0/3/130323445/6914253.pdf
    • http://www.unearthingopal.blog/uploads/1/3/0/7/130738984/vuvakitozimo.pdf
    • http://flexcareinfusioncenter.com/uploads/1/3/0/7/130775959/xemolorexabisel_lijazu.pdf
    • http://citizens-medicare.com/uploads/1/3/0/4/130475938/bf392b5bd37.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073b1.bin
b74d8184db3ad904ca4ddfcce1e8b0feaa54cb3d779cff511b73ce31aab57c16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73B1 8200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.