Malicious PDF — malware analysis report

Static analysis result for SHA-256 f060dff6dfc6c2e8…

MALICIOUS

PDF

35.6 KB Created: 2020-03-11 12:52:16 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 866eaf6e3001112104e1a65542f930a2 SHA-1: 3d60e9486e69af0f5b06f5b8cfcbd8ecdf2528dd SHA-256: f060dff6dfc6c2e831698ffa00167d83fa751f492ea260b59504e7e3122a283d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. The document body, though heavily obfuscated, contains references to a 'York chiller catalogue' and multiple URLs, indicating a lure to external content. The primary intent appears to be directing users to a network of websites, likely for phishing or to serve further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://x0476086xstreamtravel.xsideas.com/uploads/1/3/0/4/130488786/130488786.html#york+chiller+catalogue+centrifugal
    • http://headsuptraining.com/uploads/1/3/0/4/130436458/ligababerasoner-xolinebuwexolu.pdf
    • http://commercialindoor.com/uploads/1/3/0/6/130639110/7fb82fa910fa547.pdf
    • http://mindfulmoto.us/uploads/1/3/0/6/130621507/6855467.pdf
    • http://bigalshealthyfood.com/uploads/1/3/0/3/130323213/nobexa_latemikibirize_folibiruliv.pdf
    • http://eatwithaconscience.com/uploads/1/3/0/7/130775858/413393.pdf
    • http://dictionary-of-regional-english.com/uploads/1/3/0/3/130313383/1163001.pdf
    • http://quorumpro.com/uploads/1/3/0/5/130588282/18560.pdf
    • http://connorcopelandcreative.com/uploads/1/3/0/4/130483759/movelosevopigov.pdf
    • http://www.fse365.com/uploads/1/3/0/6/130620486/9937719.pdf
    • http://www.meltingpalms.com/uploads/1/3/0/3/130313307/effeea401ea5.pdf
    • http://sdkuykendall.com/uploads/1/3/0/3/130324119/33ef0b6.pdf
    • http://pkwi.com.au/uploads/1/3/0/5/130550925/silamotoguparuxalipa.pdf
    • http://jennblechdesign.com/uploads/1/3/0/6/130639296/4ad41981a2d9.pdf
    • http://hostmaster.studiopaleologo.com/uploads/1/3/0/3/130313466/3199953.pdf
    • http://www.schizyjam.org/uploads/1/3/0/5/130539309/fefewi-kevetobij-fozupuwibik.pdf
    • http://galatians67.com/uploads/1/3/0/5/130589151/jikiv.pdf
    • http://iqmri.net/uploads/1/3/0/4/130483801/9885316.pdf
    • http://www.dnicolecustomprintz.com/uploads/1/3/0/3/130379133/6513888.pdf
    • http://moniquepaintings.com/uploads/1/3/0/6/130639673/c4af9a3fc5.pdf
    • http://evokidsandmoms.com/uploads/1/3/0/4/130435927/0256a7f99569338.pdf
    • http://jbandersenstudio.com/uploads/1/3/0/6/130603753/4775731.pdf
    • http://me23-holzgerlingen.de/uploads/1/3/0/8/130874304/920ba88.pdf
    • http://hostmaster.vietals.com/uploads/1/3/1/1/131163931/migukoba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006276.bin
1a91bc3e94872154527b024254cc0b2a24ee8f9c191efc142094b44698cd932c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6276 7896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.