Malicious PDF — malware analysis report

Static analysis result for SHA-256 f04d58316ef86a93…

MALICIOUS

PDF

41.0 KB Created: 2020-03-20 13:51:59 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5e6e3f8d4f4f8a4122f2845b35b95d88 SHA-1: 8ea20278cdef41ea44b5907ad8978926abcc7317 SHA-256: f04d58316ef86a93cfc8f0b923cbd5e403281b584aaa9329ac6d7f3a8705cb45
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF document contains a large number of embedded external links, a technique often used for SEO poisoning or to direct users to malicious websites. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating a potential phishing or malware distribution vector. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://issi.si/uploads/1/3/0/7/130775516/130775516.html#cuisinart+double+belgian+waffle+maker+%28model+waf-f20b%29
    • http://croftoncares.org/uploads/1/3/0/6/130620892/1531862.pdf
    • http://hansenrealestategroup.com/uploads/1/3/0/8/130813055/fb9f9ae9.pdf
    • http://www.hidden-gardens.com/uploads/1/3/0/6/130604429/nowin.pdf
    • http://scwaterfrontworks.com/uploads/1/3/0/4/130488382/9494804.pdf
    • http://marshmilitia.com/uploads/1/3/0/6/130639642/patasenororezoz.pdf
    • http://builtonselfsuccess.net/uploads/1/3/0/7/130775758/5056604.pdf
    • http://ptmusicacademy.com/uploads/1/3/0/2/130271219/6389496.pdf
    • http://zuqiujiaolian.f18.ebkf.org/uploads/1/3/0/9/130969796/rakepivujimuvudef.pdf
    • http://restaurierungsatelier-ernst.de/uploads/1/3/0/8/130813548/tosajarir_bajokuvam_fivimotu_wajubisuki.pdf
    • http://chivoremerald.org/uploads/1/3/0/7/130776747/6052056.pdf
    • http://signatureboutique.net/uploads/1/3/0/3/130323635/6546644.pdf
    • http://jarredmatthes.org/uploads/1/3/0/3/130324063/90aa73144.pdf
    • http://sharlamandere.com/uploads/1/3/0/7/130776420/44453e3d02c7b.pdf
    • http://plane-workshops.com/uploads/1/3/0/7/130776578/9531987.pdf
    • http://www.hairbyenessa.com/uploads/1/3/0/5/130539279/901d7c.pdf
    • http://thehurtworld.com/uploads/1/3/0/6/130603803/dd05c7aa8.pdf
    • http://www.empayar-jutawan.com/uploads/1/3/0/4/130489649/vukotuxaxo.pdf
    • http://www.ellenrbnsn.com/uploads/1/3/0/3/130323632/5892411.pdf
    • http://berkshireconstructiongroup.com/uploads/1/3/0/7/130775280/sajogifane.pdf
    • http://theemberscovenant.com/uploads/1/3/0/6/130639452/fituwolagex.pdf
    • http://www.carolgraham.net/uploads/1/3/0/5/130544652/xalebokipinawug.pdf
    • http://pmpclones.com/uploads/1/3/0/7/130776801/bovokiwalivetu-wobefumonoxujax-xovanobi.pdf
    • http://californiaspac.com/uploads/1/3/0/6/130621868/d5a08b40e68705.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007649.bin
6f01d229042dc2c239857c87a564075df1a85f33e1572215eaf50315028bc6f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7649 8144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.