Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ec99ba7f6db2876…

MALICIOUS

PDF

38.6 KB Created: 2020-03-10 14:28:49 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5cfaa8d9643652c120c03dd05a05201e SHA-1: e12af45e0a8cc6792d0ba63810f76190cc981592 SHA-256: 1ec99ba7f6db28768a93258547eb0fdd52af24b9d2c4dc7edfab4228e447ea1d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though heavily obfuscated, contains text related to 'inductive argument examples' and metadata indicating it was generated by wkhtmltopdf. The primary attack pattern appears to be a link farm designed to direct users to potentially malicious content hosted on various domains. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.lcalmarketing.com/uploads/1/3/1/1/131164435/131164435.html#invalid+inductive+argument+examples
    • http://allsd.co.nz/uploads/1/3/0/5/130588389/luzoneniver.pdf
    • http://biohackyourdiet.org/uploads/1/3/0/8/130814286/3ca5ff02123a56.pdf
    • http://tradingpinshub.com/uploads/1/3/0/5/130539155/2041543.pdf
    • http://ecogourmande.com/uploads/1/3/0/6/130621691/vanedi.pdf
    • http://parentingexaminer.net/uploads/1/3/0/2/130289801/kinibojogifen.pdf
    • http://www.elitemovers.net/uploads/1/3/0/3/130379143/9674442.pdf
    • http://www.rareresourceshk.com/uploads/1/3/0/8/130814728/494366.pdf
    • http://ishansinghmann.com/uploads/1/3/0/8/130874011/7039159.pdf
    • http://nozonebasketball.org/uploads/1/3/0/2/130289233/8887674.pdf
    • http://www.butterflyfrenchies.com/uploads/1/3/0/7/130739116/8c1f8fe34c.pdf
    • http://shutyomouthfoodtruck.com/uploads/1/3/0/2/130288559/2667644.pdf
    • http://niwawriters.org/uploads/1/3/0/5/130539759/mofipuvegutejam.pdf
    • http://jodichandler.com/uploads/1/3/0/9/130969027/pudazuxap_ruvagajezo.pdf
    • http://from-roots-to-juice.com/uploads/1/3/0/4/130436244/fominupisi.pdf
    • http://drsimoneryan.com/uploads/1/3/0/5/130588473/nisododul.pdf
    • http://inflatedproducts.com/uploads/1/3/0/5/130588651/9238266.pdf
    • http://www.soundgirlproductions.com/uploads/1/3/0/4/130435960/tajepik_vesebitu.pdf
    • http://laneedasupherb.square.site/uploads/1/3/0/5/130589220/sebiguvode_lenemun.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e09.bin
af613b466ed4964f92939f6399fa4a5d5223b5991967fc617ceecf30d5c664f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E09 7588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.