Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe47167dbf05b427…

MALICIOUS

PDF

43.9 KB Created: 2020-03-24 19:12:57 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9579bedc28f547a95d4affea6962129d SHA-1: f0a3d97d232a584e3d1b6d980fddbecb98c7a88b SHA-256: fe47167dbf05b427eba31f041060567d5f8ec918138fc241dc14e4937113d111
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or SEO poisoning tactic. The document body, though heavily obfuscated, contains references to 'book pdf' and includes URLs that appear to be part of this link farm. The primary attack pattern is likely to trick users into visiting these links, which could lead to further malware downloads or phishing attempts.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://4gen4.org/uploads/1/3/1/0/131071043/131071043.html#emma+jane+austen+book+pdf
    • http://hostmaster.yvettehughes.com.au/uploads/1/3/0/5/130543685/sopes.pdf
    • http://sailfishchair.com/uploads/1/3/0/4/130483087/857234.pdf
    • http://plumbercovingtonla.com/uploads/1/3/0/7/130775883/lizavulerovisoviliko.pdf
    • http://mousingarounddisney.com/uploads/1/3/0/5/130540554/davino.pdf
    • http://lectricwind.com/uploads/1/3/0/5/130542813/tilojulozukurama.pdf
    • http://stewardshiphomes.org/uploads/1/3/0/7/130738917/zezonem.pdf
    • http://babakumisalwaini.com/uploads/1/3/0/7/130739974/d470dd.pdf
    • http://prorighty.com/uploads/1/3/0/7/130776386/nudovikug_gesesi.pdf
    • http://www.855review5.com/uploads/1/3/0/4/130488401/vifixukade.pdf
    • http://leiko.org/uploads/1/3/0/4/130488163/lenurogumiris_fodamizew_vuwipijobobar.pdf
    • http://dopeshoppingmadeeasy.com/uploads/1/3/0/5/130542924/resan-gepolide.pdf
    • http://samuelprovencher.net/uploads/1/3/0/5/130588762/fipexixuba.pdf
    • http://silverbehavioralhealth.org/uploads/1/3/0/6/130604615/a6c03e1da8088d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d56.bin
8113947cd75edd8b862b01c92e8ff2206f167c7e333d52766ada3c3b0ed915ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D56 8244 bytes
font_01_sfnt_off00008d4a.bin
0a97bde9752fdee1f3e7370c79030bd93fe90b264c0961419b1ed7afc578e67c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D4A 16104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.