Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f5b6bf6b9799374…

MALICIOUS

PDF

37.1 KB Created: 2020-06-04 08:41:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d8039b0c19d83a5cc65e85d332203cb SHA-1: 5f115900af1a5a5c1700a96044c0546591d68c38 SHA-256: 4f5b6bf6b979937407e19056398cb7532339164659ec0ae461df50020ae2a789
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or SEO manipulation tactic. The document body, though partially corrupted, contains text related to computer parts and mentions wkhtmltopdf, indicating it was likely generated programmatically. The primary intent appears to be directing users to a network of external websites, as evidenced by the numerous URLs extracted, including http://lahaolelimacreations.com/uploads/1/3/0/3/130313274/130313274.html#las+partes+de+la+computadora+como+se and http://lacharite.net/uploads/1/3/0/7/130775196/e90354.pdf. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lahaolelimacreations.com/uploads/1/3/0/3/130313274/130313274.html#las+partes+de+la+computadora+como+se
    • http://lacharite.net/uploads/1/3/0/7/130775196/e90354.pdf
    • http://darnellduoattentivecaring.com/uploads/1/3/0/9/130969722/8250935.pdf
    • http://languagearts227.com/uploads/1/3/1/4/131453896/765c770.pdf
    • http://mail.seeblick-grundschule-wismar.de/uploads/1/3/1/6/131607054/goxifudajag-gudaxituxul-xizokeronesid-foxezuko.pdf
    • http://lahaolelimacreations.com/uploads/1/3/0/3/130313274/terms.html
    • http://lahaolelimacreations.com/uploads/1/3/0/3/130313274/dmca.html
    • http://lahaolelimacreations.com/uploads/1/3/0/3/130313274/policy.html
    • https://bujefaz
    • https://puwubovefije.files.wordpress.com/2020/06/38451461658.pdf
    • https://toxagam.files.wordpress.com/2020/06/78323333287.pdf
    • https://xupafib.files.wordpress.com/2020/06/94633304556.pdf
    • https://wozimupo.files.wordpress.com/2020/06/nagewavipo.pdf
    • https://lelapan.files.wordpress.com/2020/06/wugipiremukabu.pdf
    • https://bixowos236323626.files.wordpress.com/2020/06/87442718244.pdf
    • https://xezifemubet.files.wordpress.com/2020/06/3980189572.pdf
    • https://bujefaz.files.wordpress.com/2020/06/42520470256.pdf
    • https://tezozila.files.wordpress.com/2020/06/fofagogilufuwefojeje.pdf
    • https://ranojogirufe.files.wordpress.com/2020/06/sokozuvovabudinalawijawi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000622b.bin
a736ff8d14ac31409c857b7876ebf85743525fef8dfe0bc941d5bd26895babad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x622B 12292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.