Malicious PDF — malware analysis report

Static analysis result for SHA-256 553b89386e6c3738…

MALICIOUS

PDF

46.8 KB Created: 2020-04-19 02:17:09 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 58002a5ef433cf98752350999bae263b SHA-1: 1276413524fbd044fbc81726d0fff17c1dc362fc SHA-256: 553b89386e6c373810e44918ed9b74bca2a56a993d1276ceb6f051a374438011
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files with numeric slugs, indicating a link farm or SEO poisoning tactic. The document body, though heavily obfuscated, contains references to 'Cover letter sample template' and the authoring application 'wkhtmltopdf', suggesting a lure to disguise malicious links. The primary attack pattern involves redirecting users to a network of external sites, likely for phishing or malware distribution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sensitiveminds.org/uploads/1/3/0/5/130590029/130590029.html#cover+letter+sample+template+word
    • http://alskitchen.net/uploads/1/3/0/8/130814010/d54e148.pdf
    • http://drainagecleaner.com/uploads/1/3/0/8/130874045/pimofubuxuve.pdf
    • http://seyram-co.com/uploads/1/3/0/8/130814642/wimagaxefo.pdf
    • http://americanpatriotdefense.com/uploads/1/3/0/8/130814343/79cacbbc.pdf
    • http://dahlerdesigner.com/uploads/1/3/0/3/130323477/wolinizufe.pdf
    • http://datadroppers.net/uploads/1/3/0/7/130774993/7699406.pdf
    • http://uciwpthinkbig.com/uploads/1/3/0/6/130620871/sarulozew.pdf
    • http://unwindingculturalpropertydecisions.com/uploads/1/3/0/8/130813764/lojoxigageris.pdf
    • http://laidleyelearning.com/uploads/1/3/1/3/131383416/banogibubewosuwuruk.pdf
    • http://noslipgrip.net/uploads/1/3/1/3/131383543/zezixubowevonewi.pdf
    • http://moringamaster.life/uploads/1/3/0/7/130740205/5b07a9d97502.pdf
    • http://kreuzverhoer.net/uploads/1/3/0/2/130288507/vawinuvukogegu.pdf
    • http://blingblingmobileboutique.com/uploads/1/3/0/5/130551124/f15fb2d13.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b0c.bin
6457e6e91e3f1fbc183bf95955483f793d935ccd8cbf766327591520ef5325b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B0C 7916 bytes
font_01_sfnt_off000099d5.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99D5 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.