Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdcd85eec65cf9a9…

MALICIOUS

PDF

40.4 KB Created: 2020-03-29 08:26:23 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 723a49e3129320bd900a52cf86502578 SHA-1: a1c1980102ad46d5f740353783d3cce9c815784e SHA-256: fdcd85eec65cf9a967561e4f3857c658f28b4d0266b02cb6c71b0c4d43df61c2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a technique often used for SEO manipulation or to distribute further malicious content. The document body text is heavily obfuscated but contains references to URLs that are also listed in the extracted URLs. The primary heuristic identified a 'PDF_SEO_LINK_FARM' which strongly suggests the document's purpose is to host and link to numerous other PDF files, likely for malicious distribution or SEO spam.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-72-211.mgwnet.com/uploads/1/3/0/6/130604537/130604537.html#dinamica+la+telara%C3%B1a+de+lana
    • http://apocalypsepi.com/uploads/1/3/0/8/130874170/zozoguwix.pdf
    • http://karlazehren.com/uploads/1/3/0/4/130436089/labetujuwupawalude.pdf
    • http://carmelgroove.com/uploads/1/3/0/2/130289495/8980715.pdf
    • http://freelas.net/uploads/1/3/1/4/131413603/f72ca6f17b3.pdf
    • http://newmexicohealthyvending.com/uploads/1/3/1/0/131071183/wiruw.pdf
    • http://mail.ywca-orangecty.org/uploads/1/3/0/6/130603983/832c691.pdf
    • http://relationshipcoach.services/uploads/1/3/0/6/130604523/malibenixona.pdf
    • http://mid-atlanticofficeportfolio.com/uploads/1/3/1/3/131381006/gizepitalus.pdf
    • http://cpanel.tricitymustang.com/uploads/1/3/0/7/130739301/8869567.pdf
    • http://agentflamingo.com/uploads/1/3/0/5/130551962/kukibizonemupo.pdf
    • http://lisalindseywellness.com/uploads/1/3/0/8/130813953/rebinagesaluwan_jejomaxeka_tagazitosuxuvir.pdf
    • http://electrickatillac.com/uploads/1/3/0/2/130289693/kelinolip.pdf
    • http://thefarmsofpepperhills.com/uploads/1/3/0/7/130776805/gupebubex.pdf
    • http://eaglerockjuice.com/uploads/1/3/0/7/130740455/340f9.pdf
    • http://businessarenainc.com/uploads/1/3/0/2/130273625/4275044.pdf
    • http://nationalhellenicsociety.net/uploads/1/3/0/7/130776073/xikupik.pdf
    • http://icconic.com/uploads/1/3/0/6/130605519/388d7a43770205.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071db.bin
da9883f3cf7d386672aeb837995a52959635819771e6280f1a22dd8a46f9ae89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71DB 9092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.