Malicious PDF — malware analysis report

Static analysis result for SHA-256 f35207ddff03875d…

MALICIOUS

PDF

44.2 KB Created: 2020-05-22 10:24:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9473cded96f7ec6f1ffcbd508386cfb7 SHA-1: 5ef12be83dc08d2363045e5a717452fe547c0c24 SHA-256: f35207ddff03875de84f7bc587507e8797793dedb98d909e6053d025e6888f49
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which are dynamically generated and point to seemingly unrelated PDF files. The heuristic 'PDF_SEO_LINK_FARM' indicates a technique to artificially inflate search engine rankings, often used to host malicious content or phishing pages. The embedded URLs, such as 'http://sui86.salon225.com/uploads/1/3/0/6/130604765/130604765.html#development+through+the+lifespan+5th+edition+pdf+free', are presented as free PDF downloads, likely serving as a lure to redirect users to potentially malicious sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sui86.salon225.com/uploads/1/3/0/6/130604765/130604765.html#development+through+the+lifespan+5th+edition+pdf+free
    • http://rieraconstruction.com/uploads/1/3/0/5/130544132/danidud_peles.pdf
    • http://maria-valdes.com/uploads/1/3/0/7/130739524/lanav.pdf
    • http://madeleinemfuru.com/uploads/1/3/0/4/130491947/sanesomuxafavuz-wiloweris-nopopilugazode-xatalojagi.pdf
    • http://actongateaudio.co.uk/uploads/1/3/1/1/131164067/degujox_fopuzilidojo.pdf
    • http://eagleskinplicity.com/uploads/1/3/0/7/130776183/108612.pdf
    • http://gala226.org/uploads/1/3/0/6/130639557/jufanidarep-tojunakepa.pdf
    • http://trailblazingco.com/uploads/1/3/0/6/130622103/wusajimiwe_zurulapak_noxalujeto_dupiduvekop.pdf
    • http://linbarrlogisticsllc.com/uploads/1/3/0/4/130477915/rebamunowa.pdf
    • http://sea-riders.com/uploads/1/3/0/6/130639489/tixuruvuvifel.pdf
    • http://wecare.aura-reader.com/uploads/1/3/1/4/131437827/78ed09dc6.pdf
    • http://crabhousefortsmith.com/uploads/1/3/0/7/130775001/zitipujexijowemu.pdf
    • http://mrsdsmithsthirdgrade.com/uploads/1/3/1/3/131398366/7319606ea.pdf
    • http://dizitart.com/uploads/1/3/1/4/131437969/koronuwobudot-fepibuxasofajix-sadolamet.pdf
    • http://dr-ballouz.eu/uploads/1/3/0/8/130874031/4620374.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008333.bin
e3c9ae83e8ca2d500d6e8dfbff509a4ed9b7be221349893c41a40057e84e74ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8333 9868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.