Malicious PDF — malware analysis report

Static analysis result for SHA-256 f814b5d00e069313…

MALICIOUS

PDF

42.8 KB Created: 2020-06-07 10:10:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 62d00293add19510a897ad1ca0d367b0 SHA-1: 30b65f4a7cc2a473d731853e599dc090bc2fe053 SHA-256: f814b5d00e0693133a78c45be96d24d6e0c76ac1fa682a861881613f2f2db8fa
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to similarly structured URLs on different domains. The document body text, though partially corrupted, includes a reference to a movie title and the wkhtmltopdf application, suggesting a lure to external content. The PDF_SEO_LINK_FARM heuristic indicates a deliberate attempt to create a link farm, likely for SEO manipulation or to host malicious content across multiple domains. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bidwelloptometry.net/uploads/1/3/0/6/130604823/130604823.html#minha+m%25C3%25A3e+%25C3%25A9+uma+pe%25C3%25A7a+2+filme+completo+netflix
    • http://julesjams.com/uploads/1/3/0/4/130477864/verutuvamonologuves.pdf
    • http://altocpa.com/uploads/1/3/1/4/131438313/kubumororidutiri.pdf
    • http://jamesbdanner.com/uploads/1/3/1/4/131406892/munosaxitefewibuziz.pdf
    • http://jftsd.com/uploads/1/3/0/7/130776143/ragilexew.pdf
    • http://beatricelindauer.com/uploads/1/3/0/6/130639914/soludutegex.pdf
    • http://gailsuberbiellephotography.shop/uploads/1/3/0/7/130776164/gujarikagi.pdf
    • http://mx.foregolfclub.org/uploads/1/3/1/4/131407278/5491215.pdf
    • http://pathoftheholyway.org/uploads/1/3/0/6/130604445/medow-kumemodi-jitamemalavi.pdf
    • https://suvirowom.files.wordpress.com/2020/06/katisegozomavuxapokudife.pdf
    • https://mopebafuju.files.wordpress.com/2020/06/wugawiv.pdf
    • https://vikezepe379027054.files.wordpress.com/2020/06/negoxuzu.pdf
    • https://ranizofotebo.files.wordpress.com/2020/06/9035250041.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ea4.bin
114843e5eda2b1d8e72a73eb41146122aa2f57479a12d50d130f312cd3b4fdc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EA4 12984 bytes
font_01_sfnt_off00008650.bin
843ec7dc1bbd6ccbc964cdce6843e0278cc9cb1048285cfd99718a79dbc84da7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8650 16904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.