Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7000e3f77439dc5…

MALICIOUS

PDF

59.7 KB Created: 2020-06-10 01:11:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 582bf1e4b6e20310106e2777c813ab80 SHA-1: 0d56ca2a4877eb1ee2786188a47f9e385ca1cd36 SHA-256: f7000e3f77439dc59e91c784d7234ec04b38ce605b303f5621eb872cb68079f2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or distribution mechanism. The primary attack pattern involves directing users to these external resources, which could host malicious content or be part of an SEO manipulation scheme. No scripts were extracted, and the document body was unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pizdicacuzmac.com/uploads/1/3/0/4/130478709/130478709.html#%25D8%25A7%25D9%2582%25D8%25AA%25D8%25A8%25D8%25A7%25D8%25B3%25D8%25A7%25D8%25AA+%25D8%25B0%25D9%2583%25D8%25B1%25D9%2589+%25D9%2588%25D9%2581%25D8%25A7%25D8%25A9+%25D8%25A7%25D9%2584%25D8%25A3%25D8%25AE%25D8%25AA
    • http://wildbran.com/uploads/1/3/0/5/130588611/7112069.pdf
    • http://wordythoughts.club/uploads/1/3/0/4/130483766/e7469.pdf
    • http://webmail.cawsab.org/uploads/1/3/0/5/130551704/9b372ba0e1f.pdf
    • http://bespokemantels.com/uploads/1/3/1/4/131407222/padimudav-vubazotejabisu-raboboxubuf.pdf
    • http://madoarecapurua.com/uploads/1/3/0/3/130323705/bivenasizewesurif.pdf
    • http://pamelacote.com/uploads/1/3/0/8/130874431/428cb0da.pdf
    • http://vsud51.ru/uploads/1/3/0/8/130813975/3dc4a7e.pdf
    • http://hoganforsupervisor.com/uploads/1/3/0/9/130969515/nitom.pdf
    • https://fetawuvupo.files.wordpress.com/2020/06/lonipogezefanoluwonijikis.pdf
    • https://wedikul.files.wordpress.com/2020/06/91496428471.pdf
    • https://paderujudo.files.wordpress.com/2020/06/divaseti.pdf
    • https://wotilebuf.files.wordpress.com/2020/06/wowuxibegomubevakuwofuvo.pdf
    • https://wisowewemuj.files.wordpress.com/2020/06/zamokuzureribuloxewel.pdf
    • https://mulosegavo.files.wordpress.com/2020/06/7329196540.pdf
    • https://bunanezod.files.wordpress.com/2020/06/lixopapus.pdf
    • https://fibizetu452198143.files.wordpress.com/2020/06/92206334011.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008d89.bin
55a3637ee9f9d22f01829a4f1913b39b70f5f5649426205a3134239675c5f1b2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8D89 31868 bytes
font_01_sfnt_off0000c550.bin
5b3ad8ecea2cae5e15dd48c2e862c198f76684360dfa70f8e68f7eeb92c93a76		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC550 7852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.