Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd49d329a5a18bc4…

MALICIOUS

PDF

39.9 KB Created: 2020-03-20 12:22:39 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7d89aec659e49ff22d6e4a59021a6000 SHA-1: 3b05e70cc23e48e0dc13d78f3f8b22f538d1d7d3 SHA-256: fd49d329a5a18bc48b838f99f5ebc041a695c7ed1a4c4dc7c2e1224f23a7e28a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to other PDF files hosted on various domains. This behavior is indicative of a link farm or a mechanism to distribute further malicious content. The primary heuristic identified a "PDF_SEO_LINK_FARM" which suggests a deliberate attempt to create a network of linked documents. The embedded URLs and the document body text, though partially corrupted, also contain references to these external links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://staticapparatus.com/uploads/1/3/0/5/130550672/130550672.html#convertir+hora+en+segundos
    • http://www.schoolspiritandpersonalizedgifts.com/uploads/1/3/0/3/130313524/2c4803b8775f.pdf
    • http://squirkenworks.com/uploads/1/3/0/3/130313346/3693995.pdf
    • http://injurymassagetherapist.com/uploads/1/3/0/4/130483178/6077187.pdf
    • http://autodiscover.dumfriesfirst.org/uploads/1/3/0/5/130539114/c9873c0f96d1.pdf
    • http://aluminumpourspouts.com/uploads/1/3/0/2/130288731/kidaliwepusud.pdf
    • http://www.aircurtainofflorida.com/uploads/1/3/0/6/130639980/dulivesobuxori.pdf
    • http://ease.trade/uploads/1/3/0/5/130539446/potij_vixozizefovidi_gubikegugefex.pdf
    • http://test-website-version.com/uploads/1/3/0/2/130274146/724114.pdf
    • http://nsfaphs.org/uploads/1/3/0/4/130477584/neserofida-rimenaxet.pdf
    • http://ppas2020.com/uploads/1/3/0/6/130605165/7ec7dc0df0004.pdf
    • http://bareek3.com/uploads/1/3/0/4/130477613/7572796.pdf
    • http://www.heartofyogarva.com/uploads/1/3/0/5/130550731/5d38ba8.pdf
    • http://stopthewhaling.com/uploads/1/3/0/6/130604525/c3c8007.pdf
    • http://www.phases-rec.com/uploads/1/3/0/6/130621306/7ca7864.pdf
    • http://webdisk.littlecreekfarmllc.com/uploads/1/3/0/5/130539990/sunol.pdf
    • http://delphifm.com/uploads/1/3/0/7/130739090/2137252.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000673a.bin
7f8554fe8451f23334e009031c0f683510e6df990b25e410a6e4b33b1c3d0848		 pdf-font-stream PDF embedded font (sfnt) at offset 0x673A 8636 bytes
font_01_sfnt_off000086e7.bin
e2a609504f31aba74360c8f97aead3d8f97c76e888a653261413c8bef59e3205		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86E7 2884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.