PDF malware analysis — malicious · ecf99c06e6867249

MALICIOUS

PDF

41.2 KB Created: 2020-03-27 03:03:09 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 704bc5e52ebe60cffacc2c96290a6f0d SHA-1: 09bab39c6421c30b53bec7a4b742845e6365d267 SHA-256: ecf99c06e6867249021d174ae9e27514c5c438ddc00f809dba3bca7b27d83184

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or SEO manipulation tactic. The document body contains garbled text and a single visible URL, which is also part of the link farm. No scripts were extracted from this sample.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://markalanbabcock.com/uploads/1/3/0/7/130775118/130775118.html#native+american+sweat+lodge+near+me
- http://ladavisbooks.com/uploads/1/3/0/5/130539097/widiwalezop.pdf
- http://jimlonergan.net/uploads/1/3/0/3/130323630/guladamidika.pdf
- http://jeeltransformandoproyectos.com/uploads/1/3/0/7/130740265/vefimuruwuvogus-lurofomikerer-deletu-wokipuvinutasaj.pdf
- http://naturalbalancetherapies.org/uploads/1/3/0/4/130436007/ritudubarom.pdf
- http://creativeranddconstruction.com/uploads/1/3/0/6/130621362/8d081.pdf
- http://thepscfoundation.org/uploads/1/3/0/4/130476458/cc4d06a3.pdf
- http://loving-your-pets.com/uploads/1/3/0/8/130814225/6877211.pdf
- http://camacamp.org/uploads/1/3/0/7/130738841/bovuwuxoxonuvotas.pdf
- http://pdxeventsource.com/uploads/1/3/0/3/130312986/venakeloxote_xiresovi.pdf
- http://doulalabirthservices.com/uploads/1/3/0/7/130776408/juliwurene-gerogurovezem-bedugusak.pdf
- http://tvessencemelts.com/uploads/1/3/0/3/130379132/5515921.pdf
- http://cmfindlay.org/uploads/1/3/0/4/130483582/9361810.pdf
- http://26971.atkhn.com/uploads/1/3/0/5/130588597/7745837.pdf
- http://mkrishnan.org/uploads/1/3/0/7/130775137/2b3ec7a56.pdf
- http://essentialwellnesswithkelly.com/uploads/1/3/0/5/130590467/c9468eecd8fec.pdf
- http://pairable.net/uploads/1/3/0/4/130483739/tulor.pdf
- http://northmeats.com/uploads/1/3/0/6/130604299/2cd61c8b76.pdf
- http://abilityrehabservices.com/uploads/1/3/0/6/130620694/peferinumobowimuga.pdf
- http://bakktchain.com/uploads/1/3/0/5/130551366/xufepefemob-rabexixo.pdf
- http://stemimpactawards.com/uploads/1/3/0/6/130621052/9bf0531e198.pdf
- http://aquaponicsoutlet.com/uploads/1/3/0/4/130435680/5855f2451.pdf
- http://artdepartment.site/uploads/1/3/0/4/130483741/4c69bbe6623.pdf
- http://blueoceansolutionsme.com/uploads/1/3/0/4/130488934/lotapixa-wewej.pdf
- http://yummyblair.com/uploads/1/3/0/2/130287456/paketubelimarol_kebax_bokimuz.pdf
- http://yummyblair.com/uploads/1/3/0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007880.bin` `3a2221eee1983093e80c17880ec4c9e46d3b4c80d5390492f21cfa7f8ece4588`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7880	7384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.