Malicious PDF — malware analysis report

Static analysis result for SHA-256 faa5f90372151694…

MALICIOUS

PDF

44.2 KB Created: 2020-03-08 08:54:32 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 48046303ebc80d3d5934830293e79d86 SHA-1: 9d92eb76fca5e943cd25f7a372a4e629b8d37794 SHA-256: faa5f9037215169459f2b4469c2991281344673567e06c9b92313e32252db5d4
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link

This PDF document functions as a link farm, presenting a lure related to 'introduction to computer science books free download pdf'. It contains numerous embedded URLs pointing to other PDF files hosted on various domains. The primary intent appears to be directing users to a large number of external resources, likely for SEO manipulation or to distribute further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sta-66-99-58-213.ladse.org/uploads/1/3/1/0/131070712/131070712.html#introduction+to+computer+science+books+free+download+pdf
    • http://www.candykoalaplushieemporium.com/uploads/1/3/0/6/130640104/932716.pdf
    • http://paulrealtyinvestments.com/uploads/1/3/0/8/130874289/eaaa5b.pdf
    • http://billelenbark.net/uploads/1/3/0/2/130270990/xuzuxewerukesewugale.pdf
    • http://value-scape.com/uploads/1/3/0/8/130814085/nufaramo-bopusadam-jowukovelurunip.pdf
    • http://energy-beatz.com/uploads/1/3/0/7/130740087/9a145ea318.pdf
    • http://aaagospelminister.com/uploads/1/3/0/4/130476652/bomojuxori.pdf
    • http://srec-watson.com/uploads/1/3/0/4/130490461/2057722.pdf
    • http://oakandolivejewelry.com/uploads/1/3/0/4/130483956/bosugiv-ginuz.pdf
    • http://windowpeel.com/uploads/1/3/0/5/130551523/59c10528728.pdf
    • http://cordiaaladvies.nl/uploads/1/3/0/4/130483924/bilazubilet.pdf
    • http://chuysmex.com/uploads/1/3/0/6/130620852/4434409.pdf
    • http://worldoftrading.net/uploads/1/3/0/5/130589238/pireritowazev_jinepilovakigim_modifowado.pdf
    • http://wldrentals.com/uploads/1/3/0/2/130271139/fuwamex-kubivonu-tagotuzaberez.pdf
    • http://marijuanacultivationconsultants.com/uploads/1/3/0/2/130289571/2475395.pdf
    • http://ambercove27waterfalls.com/uploads/1/3/0/5/130551192/dajikipigadazosi.pdf
    • http://hostmaster.amomentonthelips.co.uk/uploads/1/3/0/7/130775258/biludodukekagal.pdf
    • http://www.barbaravanwijnendaele.com/uploads/1/3/0/7/130775977/sevira.pdf
    • http://homeandnursery.com/uploads/1/3/0/3/130379114/98c26c4817d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000821f.bin
555e042ba678efc2e4712b62d7e4f582eccbfc55b9a920934a6757d3f8a85709		 pdf-font-stream PDF embedded font (sfnt) at offset 0x821F 8500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.