Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a4ee444f84424f1…

MALICIOUS

PDF

36.3 KB Created: 2020-06-05 05:55:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4a2f8ce8f571e792c8f803cbdcdabf1d SHA-1: 74924008419df96e2c997624dbb74f154e8022e6 SHA-256: 1a4ee444f84424f1932cccc306daef8b3d97295d2a196428aded844dacfd8051
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or SEO manipulation tactic. The document body contains text related to 'The escapist crafting guide iphone' and mentions the authoring application 'wkhtmltopdf', which is unusual for a crafting guide and may be an attempt to disguise the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://squatchlandapparel.com/uploads/1/3/1/4/131437101/131437101.html#the+escapist+crafting+guide+iphone
    • http://fudool.com/uploads/1/3/0/6/130639954/nulob_bivirosuk_fabuvagasexovu.pdf
    • http://chubbiebunniesbows.com/uploads/1/3/1/8/131856389/towale.pdf
    • http://traumaemdrtherapystlouis.com/uploads/1/3/1/8/131871627/8179087.pdf
    • http://wealthade.com/uploads/1/3/0/6/130605259/0895ee.pdf
    • http://reflexologytampa.com/uploads/1/3/0/6/130639449/364316.pdf
    • http://mamastevenhaagen.com/uploads/1/3/1/3/131378868/futamepani-xogakudalidab-fuzezesusupe.pdf
    • http://triplethreathooprecruits.com/uploads/1/3/0/5/130589429/97d019.pdf
    • http://mta-sts.mx.tinyhivedesign.com/uploads/1/3/0/4/130435834/355189af2f6db7.pdf
    • http://prodbynoah.com/uploads/1/3/1/4/131482886/1535002.pdf
    • http://squatchlandapparel.com/uploads/1/3/1/4/131437101/terms.html
    • http://squatchlandapparel.com/uploads/1/3/1/4/131437101/dmca.html
    • http://squatchlandapparel.com/uploads/1/3/1/4/131437101/policy.html
    • https://tejafuwimu.files.wordpress.com/2020/06/90480696513.pdf
    • https://susudamasot.files.wordpress.com/2020/06/869274230.pdf
    • https://tedazusalutu.files.wordpress.com/2020/06/46147196246.pdf
    • https://mabumuwilux.files.wordpress.com/2020/06/tosisikijen.pdf
    • https://surebidaxu.files.wordpress.com/2020/06/23341006681.pdf
    • https://dudikod.files.wordpress.com/2020/06/82196383468.pdf
    • https://ruvulosa.files.wordpress.com/2020/06/7064626278.pdf
    • https://diwunibe.files.wordpress.com/2020/06/27901552087.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006312.bin
ac43edb46a627fa223d8c458293211e29d60a8d3de983f56dd5845ce13991830		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6312 10092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.