Malicious PDF — malware analysis report

Static analysis result for SHA-256 433cc6edf675ce44…

MALICIOUS

PDF

67.4 KB Created: 2020-03-12 08:25:24 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8351ab1e77acc79d64a769bf8e18912f SHA-1: f72b668f9a3d47bde3bd65051aa0b4bb0304cf95 SHA-256: 433cc6edf675ce4427bfca6d5bc67d6b99a43b95213ce787c6a6c06386d1b14a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or SEO poisoning tactic. The document body is heavily obfuscated and contains metadata from wkhtmltopdf, indicating it was likely generated programmatically to host these links. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uibffworld.org/uploads/1/3/1/0/131069753/131069753.html#aggregatibacter+actinomycetemcomitans+ppt
    • http://acvcphilly.org/uploads/1/3/0/6/130604074/sawinojudawev.pdf
    • http://spectrum-capital.com/uploads/1/3/0/3/130324340/98b1d5741b2.pdf
    • http://roofingincentralarkansas.com/uploads/1/3/0/7/130740385/4231808.pdf
    • http://barsportpobla.com/uploads/1/3/0/4/130436130/lajonimevurejoj.pdf
    • http://www.carolgremillion.com/uploads/1/3/0/7/130775832/8358188.pdf
    • http://mail.artofgg.com/uploads/1/3/0/3/130323260/lolomimopir.pdf
    • http://skinrenewsolution.com/uploads/1/3/0/7/130739399/cc6a5.pdf
    • http://pzhealthysnacks.com/uploads/1/3/0/2/130274166/1a6ff0b3493e.pdf
    • http://hotspot.executiveinnoakland.com/uploads/1/3/0/6/130604808/a2d9915662eb7.pdf
    • http://www.photoandpixels.com/uploads/1/3/0/7/130738721/papapofaviwamoputo.pdf
    • http://hostmaster.deine-zimmerei.de/uploads/1/3/0/2/130287839/vovifokowof.pdf
    • http://lipstickcellphonepurse.com/uploads/1/3/0/5/130545249/pidatobikubik-vafejakededa-zesiv.pdf
    • http://mta-sts.mail.blue87.com/uploads/1/3/0/8/130874244/kozadunimodiwifo.pdf
    • http://aclearermind.co.uk/uploads/1/3/0/2/130270753/buperoboninisok.pdf
    • http://attentionaustin.com/uploads/1/3/0/7/130738914/jifeb_betevenati.pdf
    • http://neubacher.vafercapital.com/uploads/1/3/0/6/130639528/d3f9e303f9f1d.pdf
    • http://foveor.com/uploads/1/3/0/7/130739488/278929.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bbe6.bin
bfd6d1353bdd8f1ba5de753060e7cb2bc6b659fc3d61c50df7db301c92df5286		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBE6 9228 bytes
font_01_sfnt_off0000de71.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE71 2864 bytes
font_02_sfnt_off0000e888.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE888 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.