PDF malware analysis — malicious · f6fed713398fec43

MALICIOUS

PDF

39.3 KB Created: 2020-03-30 12:55:22 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 73a8d8ad966a93db971f0f162511550e SHA-1: 38f9848b96df3bb239b6f8da7fda61e4c8b32064 SHA-256: f6fed713398fec432d5c45139673c92a98c5ac5bba2e4e3bb2ed3ecff7ea4ae0

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. One of these links, http://74-123-75-199.mgwnet.com/uploads/1/3/1/1/131164180/131164180.html#letra+cancion+si+tu+no+estas+aqui+angeles+del+infierno, is embedded within the document body. This suggests the document's primary purpose is to redirect users to potentially malicious external content, possibly for SEO spam or to host further stages of an attack.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://74-123-75-199.mgwnet.com/uploads/1/3/1/1/131164180/131164180.html#letra+cancion+si+tu+no+estas+aqui+angeles+del+infierno
- http://pppresenting.com/uploads/1/3/0/2/130288915/6764452.pdf
- http://roofingcontractorplanotexas.com/uploads/1/3/0/9/130969462/vumibodekazamupe.pdf
- http://surfzengems.com/uploads/1/3/0/5/130590096/6cb44.pdf
- http://swimbikerundesign.com/uploads/1/3/1/4/131407493/gibis-vinalurap-mibav.pdf
- http://shhmigtagraphy.com/uploads/1/3/0/6/130621832/fokejaw.pdf
- http://mackspaintandbodyshop.mackspaintandbodyshop.com/uploads/1/3/0/6/130640091/75811c7a42d5.pdf
- http://www.gobylivi.com/uploads/1/3/1/4/131438278/2043981.pdf
- http://brunserin.com/uploads/1/3/0/9/130969973/b2d21529b.pdf
- http://thejcrawfordagency.com/uploads/1/3/1/0/131070398/e1ce8221a.pdf
- http://jamesrichards.xyz/uploads/1/3/0/7/130740556/75b994243.pdf
- http://inmemoryofbas.com/uploads/1/3/0/5/130540178/3053040.pdf
- http://felicityismyname.com/uploads/1/3/1/1/131164021/dujilizexej-gerigopazasifig-puxiwifodu-vupiwubeles.pdf
- http://archersonstore.com/uploads/1/3/0/5/130543173/600d8812a42.pdf
- http://texereanalytics.com/uploads/1/3/0/9/130969707/145932.pdf
- http://chiomegamidland.com/uploads/1/3/0/2/130270980/dedegadobimakap.pdf
- http://crystalobregon.net/uploads/1/3/0/5/130545260/3023700.pdf
- http://screenwarriorgaming.com/uploads/1/3/0/6/130604903/2153280.pdf
- http://morethansoulfood.net/uploads/1/3/0/6/130621983/df97c1.pdf
- http://teamnonmeta.org/uploads/1/3/0/4/130476171/d5199422315d3.pdf
- http://missfitmaroc.com/uploads/1/3/0/4/130483577/jusijekane.pdf
- http://flutestopperplug.com/uploads/1/3/0/8/130813546/6547200.pdf
- http://ryancassidy.info/uploads/1/3/1/1/131163793/8920734.pdf
- http://fall4franklin.org/uploads/1/3/0/9/130969051/xabafapinopaf.pdf
- http://risechildrenschoir.org/uploads/1/3/0/6/130604241/bekofotuwu.pdf
- http://risechildrenschoir.org/uploads/1/3/0
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006b2c.bin` `81d44528eb7e9aa7ebf4b378e0506f74c2b258f9cf47bea86acbf83d43bc1fc2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6B2C	9628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.