Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9a99371b4ca500a…

MALICIOUS

PDF

37.3 KB Created: 2020-06-10 03:03:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 684264fe5a0770ebb3086f086b0b1efd SHA-1: e09d1662be39bed488cca5078c47bd9747dda20d SHA-256: f9a99371b4ca500a1d73e8f53d5e771f9c3e3088660405a88b93ee8d2b62093e
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

This PDF document contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The document body is heavily obfuscated but contains several URLs that are also listed in the extracted URLs. The primary attack pattern appears to be a link farm designed to redirect users to potentially malicious content hosted on numerous domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://promisso.org/uploads/1/3/0/5/130589080/130589080.html#antropologia+uma+introdu%25C3%25A7%25C3%25A3o+marina+d
    • http://createpowtoon.com/uploads/1/3/1/4/131453918/710dfdd.pdf
    • http://coachmikellc.com/uploads/1/3/0/5/130551114/sezemesaru.pdf
    • http://webdisk.thespicycowgirl.com/uploads/1/3/0/7/130776779/4322357.pdf
    • http://goatcare101.com/uploads/1/3/0/5/130551319/wokok.pdf
    • http://1astprints.com/uploads/1/3/0/4/130435672/6139350.pdf
    • http://thisisntothesitestesees.w33blyqa.com/uploads/1/3/0/4/130488749/jujabezepaku-burakejemux-gopabadarejibip.pdf
    • http://andreabennettxiong.com/uploads/1/3/1/6/131606864/zegesiparer.pdf
    • http://74-123-75-48.mgwnet.com/uploads/1/3/1/3/131380433/rodoxatiludag-wavuputujolimo-nikoji-vibukifi.pdf
    • http://cpanel.freerepublicdefense.com/uploads/1/3/0/7/130739445/e3cc72.pdf
    • https://linisusored.files.wordpress.com/2020/06/zunaraledejudomexawasefu.pdf
    • https://ziboruxupebi.files.wordpress.com/2020/06/zinomajetewo.pdf
    • https://bupemunusovu.files.wordpress.com/2020/06/jejadosumusodolawosude.pdf
    • https://pezuxoni.files.wordpress.com/2020/06/41194164773.pdf
    • https://nizoxede.files.wordpress.com/2020/06/37408911526.pdf
    • https://nirumepuna.files.wordpress.com/2020/06/80284280019.pdf
    • https://saperip.files.wordpress.com/2020/06/98436443459.pdf
    • https://juzuzinon.files.wordpress.com/2020/06/konutu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://saperip.files.wordpress.com/2

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ee9.bin
3a950b5bde47fdf657ded285070dd41514dc943aaa062ef0102c0daaca712180		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EE9 13556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.