Malicious PDF — malware analysis report

Static analysis result for SHA-256 592c21f0d502d9a9…

MALICIOUS

PDF

36.2 KB Created: 2020-05-10 01:09:12 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 83434a71ebe5895395e944676f757585 SHA-1: f4e509b4e299876f61499279e0404c208a37c589 SHA-256: 592c21f0d502d9a918cc1e2258f9d58d1faa6db290d9e1fb72d736a14e341625
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified as a link farm, designed to direct users to various websites. The document body, though partially corrupted, contains text related to a travel guide and metadata from wkhtmltopdf, suggesting a potential SEO-based lure. The primary attack pattern involves redirecting users through this extensive link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://renewalleave.org/uploads/1/3/1/4/131453396/131453396.html#paris+10th+arrondissement+travel+guide
    • http://doneagainhomes.org/uploads/1/3/0/5/130551782/2601553.pdf
    • http://valokuvauskirsi.com/uploads/1/3/0/4/130476688/mawulejedijazopu.pdf
    • http://cleardiamondpools.com/uploads/1/3/0/7/130775295/kamomajivekajad.pdf
    • http://botanicahomebody.com/uploads/1/3/0/6/130604958/ba75c8c922f7e3e.pdf
    • http://ffheartoffire.com/uploads/1/3/0/7/130775557/numiwujorit-wimana.pdf
    • http://bossmamasuniversity.org/uploads/1/3/0/8/130874114/d0a10f869.pdf
    • http://f3coin.net/uploads/1/3/0/6/130640123/fegusonivofiz-riliw.pdf
    • http://sonatelsolutions.com/uploads/1/3/0/6/130620439/f266f56.pdf
    • http://susannesreedhar.com/uploads/1/3/0/5/130551518/peregopisasoguti.pdf
    • http://sh8kmusic.com/uploads/1/3/0/8/130874285/bojadimuba-zagizevipirezuz-dutawu-roroziso.pdf
    • http://thaiyoga.shop/uploads/1/3/0/2/130288592/midopek_wugolifize_dalele.pdf
    • http://sethsep.com/uploads/1/3/0/9/130969631/6b3c69.pdf
    • http://ladolcevita-lakelugano.com/uploads/1/3/0/9/130969352/6771874.pdf
    • http://nationalsteelbuildingsltd.com/uploads/1/3/1/3/131379769/b57b55dcaf.pdf
    • http://beautyempirebundaberg.com/uploads/1/3/0/5/130588668/4cd7be4cd99f.pdf
    • http://theultimatesellingguide.com/uploads/1/3/1/4/131453894/6365806.pdf
    • http://changingimagesllc.com/uploads/1/3/0/7/130739076/fajanukam-jekapexo-sudofokil-bovovalubexit.pdf
    • http://iwill-nyc.org/uploads/1/3/0/5/130551057/xawanumu_zeparazirimuf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062f4.bin
2151edd55611e846cc1ce4142d56820d37c46d65a66a7a6d4f139d1ca1f2f5f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62F4 10704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.