Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e69b0c3b0513626…

MALICIOUS

PDF

112.0 KB Created: 2020-04-12 11:09:44 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6975276394759bacd2cd7ad0c52020a5 SHA-1: fb3162a67b8ed4b2b26ce094d71e650fb2d05315 SHA-256: 2e69b0c3b0513626dbb06d097a2a97cec2563e36e546af807a1da8dfa2227e5a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body text, though partially corrupted, includes the string 'Tabla ascii completa wikipedia' and references wkhtmltopdf, suggesting a deceptive lure. The primary attack pattern involves redirecting users to a link farm, likely for SEO manipulation or to host further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://havencounsellingedinburgh.com/uploads/1/3/1/4/131406855/131406855.html#tabla+ascii+completa+wikipedia
    • http://emmashelpinghands.net/uploads/1/3/1/0/131070318/4912e04.pdf
    • http://myriadproduceconsultingserv.com/uploads/1/3/1/3/131383255/56e55e61.pdf
    • http://hausere.com/uploads/1/3/0/6/130603894/tufixefetepuli.pdf
    • http://asiatikaperu.com/uploads/1/3/0/9/130969448/sotosaj.pdf
    • http://dostal.at/uploads/1/3/1/0/131070137/zobevewelat_petefifo.pdf
    • http://atlanticcoastedx.com/uploads/1/3/0/4/130435962/mupuwak-tijixara-tuzutaxovit.pdf
    • http://hagansprincin.com/uploads/1/3/0/6/130621946/c406a1397a80.pdf
    • http://imobiliariadoral.com/uploads/1/3/0/6/130604703/c681e30ead20e2e.pdf
    • http://heritagetreeservice.com/uploads/1/3/1/3/131384771/87c3d2257.pdf
    • http://unecanettealafois.com/uploads/1/3/0/4/130488616/povog.pdf
    • http://utahvacayrentalz.com/uploads/1/3/0/2/130274145/4884092.pdf
    • http://angelhomebiz.info/uploads/1/3/0/7/130776476/7251309.pdf
    • http://nutri-net.fr/uploads/1/3/0/8/130814630/8341995.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014820.bin
5aae55d9bf1e137460ba0582628b6e2cb11d1c70a361727b419eda5964d8dd0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14820 13528 bytes
font_01_sfnt_off00017658.bin
3b19eb9a19cfa6a3700abc0b2a55db4c69fc5c41451ae0cc4fd9bdf09e18c6a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17658 2732 bytes
font_02_sfnt_off00018004.bin
026b2fe56966ae226f39754eb5d21bfe368367d95f850a22aed4b23127a5df56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18004 16292 bytes
font_03_sfnt_off000195be.bin
93458e8d5f8a08acf40e9e7d8d3e70793c461bd33ccca4db0ab47cc95a497f79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x195BE 13484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.