Malicious PDF — malware analysis report

Static analysis result for SHA-256 f312c2685367ac94…

MALICIOUS

PDF

123.4 KB Created: 2020-06-07 02:08:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4b83df754d14866d79c9e4cc0454f06a SHA-1: 2c4f289f7d1978d0aca6b7aa0192179ca023f582 SHA-256: f312c2685367ac94ad7ddf733c8893154af332f3b78fdd0db3fc9cd0f64325fb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, embedding numerous external URLs. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies a large number of external links, with 'mail.buggytownbirddogs.com' being a dominant host. The document body also contains a URL pointing to 'midnightcoastgroup.co'. These indicators suggest the PDF is designed to lure users to potentially malicious external sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://midnightcoastgroup.co/uploads/1/3/1/3/131383594/131383594.html#dank+tf2+memes
    • http://mail.buggytownbirddogs.com/uploads/1/3/1/4/131409526/xamonobufegawu.pdf
    • http://millerfamilyadventures.net/uploads/1/3/0/7/130739332/6d8faa.pdf
    • http://whittonspriggs.com/uploads/1/3/1/8/131872289/jesaxisuval_gademanawededov_ziras_labanizer.pdf
    • http://leenacroft.com/uploads/1/3/1/6/131608017/3121722.pdf
    • http://cpanel.thebellevie.com/uploads/1/3/0/7/130776612/valix-lerivobuwinis-xejaxipafef-rupup.pdf
    • http://commishkit.printemall.com/uploads/1/3/1/3/131379958/jijuv.pdf
    • http://mta-sts.dc-f81edea13abf.kidezetherapy.com/uploads/1/3/1/6/131606057/7104041.pdf
    • http://citylimitshairstudio.com/uploads/1/3/0/7/130740065/towawiso.pdf
    • http://brooktheater.com/uploads/1/3/0/3/130313243/rovoxaluberufu.pdf
    • http://tree-removal.net/uploads/1/3/1/3/131398533/1856173.pdf
    • http://whatsinyourbelly.org/uploads/1/3/0/6/130621382/radabased.pdf
    • https://busamonavek.files.wordpress.com/2020/06/pekasokeme.pdf
    • https://kibawof.files.wordpress.com/2020/06/gomukefubiroso.pdf
    • https://megulorula515939005.files.wordpress.com/2020/06/10890281838.pdf
    • https://lenororawaf.files.wordpress.com/2020/06/79842366649.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off0000eb61.bin
efd07aee684a0ed02f18b70aba911c09060067d8d928bf2ba32abb613edc6865		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEB61 3016 bytes
stream_015_off00017d96.bin
ae5d40dd80b58af036abe758612b1ebb9efca4c51708bf602b8ba2b134a9dc33		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17D96 30676 bytes
font_00_sfnt_off00008736.bin
e278871f4ff0d8888ccf505af04e0caf122a8cf270c2ed5beac9af4472d0c9eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8736 6444 bytes
font_01_sfnt_off000096fb.bin
db5fdaf7f423d55b4146c3a4c6b9608bc821530ec4a04730ce7b0918167c7c40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96FB 11140 bytes
font_02_sfnt_off0000b816.bin
83c1a71d776a2fad21dc69927c493be09c89ece2765eed7bb438891f3f2ca3bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB816 6220 bytes
font_03_sfnt_off0000c734.bin
e1f6085c32aca27960f36c7dbc54feac587058d1279772a80dde1ff96aa1bd6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC734 8988 bytes
font_04_sfnt_off0000d94e.bin
0bbec8e1630bc5f84a8ce69fc137d34b5541032a63d092238e4f5e3476efa51b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD94E 9012 bytes
font_06_sfnt_off0000f715.bin
f8609ff56d5d02eed668bb76bd9206c19bd8c5eaa0fca5c2375ed13b34c3252f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF715 2236 bytes
font_07_sfnt_off000100a9.bin
0f5c0efe4ccad7a3042cb2f954a21695c88ac0a69202bea05a82717ed60afa37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100A9 2864 bytes
font_08_sfnt_off00010b74.bin
1621e206a4d6810b0f73879249677876c9f4a89de98b64fd9624eec1dce683f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B74 1532 bytes
font_09_sfnt_off000113bd.bin
05123ad0babf82985be56578217aa0fae5777d7ddbf873d55960bbb19c37d362		 pdf-font-stream PDF embedded font (sfnt) at offset 0x113BD 7700 bytes
font_10_sfnt_off00012798.bin
30977302a219bc11a9d082eac4360f28f48b5b830d3b787106611a8e063d7627		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12798 1620 bytes
font_11_sfnt_off00012fd9.bin
9202b8ad46df429f7e9c2aa12da484f917ec83301191545c41cf0b12842de70a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FD9 24388 bytes
font_13_sfnt_off0001bfc9.bin
081aa7f9044450276af0a587a44accc9ed7ee387520e9dfd90e52a5e45767254		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BFC9 3400 bytes
font_14_sfnt_off0001cbde.bin
532311cab0640831883faac77217282b534da8bff090c5d43b42e2b12104ecb9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CBDE 6272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.