Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4f7306f692b8d98…

MALICIOUS

PDF

33.8 KB Created: 2020-04-10 17:31:42 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4fd684faec0234f8a4d0b8a68fda93b3 SHA-1: a25e9390767aac75fbce85eb7a49c2959da15681 SHA-256: f4f7306f692b8d98a05e4b321b7a8370c47d71a6cdf4bcb59e75f2de4baa8b40
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links to other PDF files hosted across numerous domains. This behavior is indicative of a link farm or SEO spam campaign, potentially used to distribute malware or phishing content. The ClamAV detection as 'Pdf.Dropper.Agent' further supports its malicious nature. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the specific payload.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-9227527-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9227527-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://brendaleelewis.com/uploads/1/3/0/2/130271240/130271240.html#dollar+origami+butterfly
    • http://ctlemon84.agency/uploads/1/3/0/4/130489097/koguwetike-podozudu-favubanepadowo.pdf
    • http://s-ya-777.com/uploads/1/3/0/8/130874676/duromeso-votobel.pdf
    • http://mcctowingcollc.com/uploads/1/3/0/5/130543019/2745326.pdf
    • http://mchdehs.org/uploads/1/3/1/3/131381243/tenab.pdf
    • http://dailyfastbreak.com/uploads/1/3/0/7/130775876/5189305.pdf
    • http://thegoldblacklist.com/uploads/1/3/1/3/131378990/9a263d7979a.pdf
    • http://jjcarolan.org/uploads/1/3/0/7/130776304/0b3a4243c5ee490.pdf
    • http://shop-brokenlimits.com/uploads/1/3/0/7/130739076/1fcb188e.pdf
    • http://pingfarestravel.com/uploads/1/3/0/5/130590380/7ca72be9f.pdf
    • http://tftcreative.com/uploads/1/3/0/5/130589166/2819734.pdf
    • http://alisonfiorito.com/uploads/1/3/0/2/130273576/321c4.pdf
    • http://expresscomputerrepair.ca/uploads/1/3/0/6/130620574/zapuzigokibon.pdf
    • http://theequi.com/uploads/1/3/0/8/130874361/fefikezalujerolev.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d1e.bin
c683f3c76a29ddcec9c20450ef246ae8a49d8767c5d7c2a19ff253561911a681		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D1E 7384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.