Malicious PDF — malware analysis report

Static analysis result for SHA-256 efba92fc122b0e0c…

MALICIOUS

PDF

37.3 KB Created: 2020-06-22 19:46:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7acc9641233727daf8c5ca5e5ad886d6 SHA-1: ac03e9e2d20e512bddb65b9ab5809fcce14902d7 SHA-256: efba92fc122b0e0cf760fb3046234564b32cd0c9ea0c14087fcea684579f35b6
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are hosted on unrelated domains and appear to be part of a link farm. The document body, though partially corrupted, suggests a lure related to a 'San Luis Obispo Republican voter guide'. The primary intent appears to be directing users to malicious websites for further exploitation or phishing. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://robbieperrottiyounger.com/uploads/1/3/0/9/130969682/130969682.html#san+luis+obispo+republican+voter+guide
    • http://sisterhoodbirth.com/uploads/1/3/0/7/130776085/d3c29c95.pdf
    • http://themouseauthority.com/uploads/1/3/1/0/131069961/3638198.pdf
    • http://nacdai.greganchauffeurtoursireland.com/uploads/1/3/0/2/130288639/6970976.pdf
    • http://loveisawesome.org/uploads/1/3/0/3/130323803/woloxovix_segixo_luvinezet.pdf
    • http://peopleinsyncltd.com/uploads/1/3/0/3/130313002/9468924.pdf
    • http://innovacionpublicitariamagenta.com/uploads/1/3/1/4/131438362/xinaxa.pdf
    • http://wp-translationssandiego.com/uploads/1/3/1/3/131381259/c047d0a7c1b.pdf
    • http://mail.prieangelo.lt/uploads/1/3/1/4/131438059/9080615.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050c0.bin
27ec69333348ac98dc83b603535cf61228601b8549436b23774a313dee4000e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50C0 5424 bytes
font_01_sfnt_off0000632e.bin
6deeda6af4c6bb39d93ef02d93a0c8d58c3703b4d84c89f6b4ea28ddd7fe4113		 pdf-font-stream PDF embedded font (sfnt) at offset 0x632E 10652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.