Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c902e7dbc3e1025…

MALICIOUS

PDF

67.3 KB Created: 2020-06-09 22:07:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8589f1e50d0f42c5e2d0870bd9c808c5 SHA-1: 2c3772192cf2ece161e09c8b6971350de574fecc SHA-256: 3c902e7dbc3e1025e9f6ec9ba4aed436ec9cdc7e2f28e599ec8befb30bef241d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are dynamically generated and point to seemingly unrelated content, indicating a link farm or SEO spam tactic. The document body, though partially corrupted, contains text related to religious teachings and metadata indicating it was generated by wkhtmltopdf, suggesting a lure to disguise the malicious intent. The primary goal appears to be directing users to a network of suspicious URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://irrj9w.salon225.com/uploads/1/3/1/6/131637631/131637631.html#kuran%25C4%25B1+kerim+tecvit+kurallar%25C4%25B1
    • http://tmtc-dc1.thorne-moorends.gov.uk/uploads/1/3/0/3/130323564/gixibajuzem.pdf
    • http://triplethreathooprecruits.com/uploads/1/3/1/0/131070407/9134674.pdf
    • http://74-123-72-203.mgwnet.com/uploads/1/3/1/3/131384573/2807957.pdf
    • http://nainarani.com/uploads/1/3/1/0/131070674/1901965.pdf
    • http://bonnarootransportation.com/uploads/1/3/0/2/130270987/d5b9eb7f9.pdf
    • http://rejuvenatehomesolutions.com/uploads/1/3/0/7/130740589/03a9296.pdf
    • http://neonmoonart.com/uploads/1/3/0/8/130874535/tamos.pdf
    • http://therapeuticessentails.com/uploads/1/3/0/2/130289256/vaxupax.pdf
    • http://hypotheekvoorouderen.com/uploads/1/3/1/4/131437298/976569f.pdf
    • https://rilusepo.files.wordpress.com/2020/06/79269431904.pdf
    • https://jojazoxo.files.wordpress.com/2020/06/81619020961.pdf
    • https://kebusura.files.wordpress.com/2020/06/tarefakexiditolewitiw.pdf
    • https://verakiwij.files.wordpress.com/2020/06/65004042876.pdf
    • https://tesukejiget.files.wordpress.com/2020/06/89125806587.pdf
    • https://xevabutifun.files.wordpress.com/2020/06/24010603026.pdf
    • https://razeloves.files.wordpress.com/2020/06/67747663862.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000ca6e.bin
8522d76344167e062429cb567eab22fd0905ee1277ede219f7c1dc9cccaa46ff		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCA6E 28884 bytes
font_00_sfnt_off00009c0e.bin
b148d8dc25b86e6ac0c686b2068da35369887317608f22de4766003a4a6371d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C0E 15772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.