Malicious PDF — malware analysis report

Static analysis result for SHA-256 53c5f1512bc8a410…

MALICIOUS

PDF

32.6 KB Created: 2020-04-03 11:59:51 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7ed1885261972ea32b0b26624f613b94 SHA-1: d9a350689342f0ef2bb196813efb52c475e1ecaa SHA-256: 53c5f1512bc8a410774b022c8d0afe477802627899bb3d1332949125b72728f2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or redirection scheme designed to lead users to potentially malicious content. The document body contains a reference to 'Covington pike head start' and the authoring application 'wkhtmltopdf', but no explicit malicious instructions are present. The primary attack vector appears to be social engineering through the provision of numerous external links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://strigiformae.net/uploads/1/3/1/4/131408620/131408620.html#covington+pike+head+start
    • http://heyhousecoworking.com/uploads/1/3/0/3/130323479/xozategumun_xegevubumis_kovitunizur.pdf
    • http://homeintergration.com/uploads/1/3/1/1/131164223/datukil.pdf
    • http://demo.hult-it.no/uploads/1/3/0/6/130639982/dufebikofawizulej.pdf
    • http://horsenfefferhobbies.com/uploads/1/3/0/5/130540010/8987165.pdf
    • http://connoredel.com/uploads/1/3/0/2/130273884/64e1a94f.pdf
    • http://clientcentredlearning.com/uploads/1/3/1/3/131383548/a8aac.pdf
    • http://metoodartmouth.com/uploads/1/3/0/4/130435574/3438108.pdf
    • http://cannoneyeclinic.com/uploads/1/3/1/4/131408224/361876.pdf
    • http://physicalwealth.net/uploads/1/3/0/8/130814030/386c750d6e5be.pdf
    • http://ataconsultinggroup.net/uploads/1/3/1/3/131398530/pomof.pdf
    • http://lukesguitartuition.com/uploads/1/3/1/4/131453494/6537567.pdf
    • http://lee-chandlerenterprises.com/uploads/1/3/0/2/130289209/sifovakarowadirov.pdf
    • http://kasiehunt.com/uploads/1/3/0/6/130639309/bejode.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000557e.bin
01ae50129ad114a60f0fde0b274de530753bd43c7cf5aa56e1fdf49595422862		 pdf-font-stream PDF embedded font (sfnt) at offset 0x557E 7760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.