Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ad628588d613bc1…

MALICIOUS

PDF

73.8 KB Created: 2020-06-13 20:56:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 527ff205ac1c316dbb5ae3446e284bf3 SHA-1: 06ecf26b4c46816ab7efeec57e4c0007380879ba SHA-256: 8ad628588d613bc1200687e147e4a7c83093461dc3a89b36f985c9526e1504d3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which point to domains that appear to be part of a link farm designed to manipulate search engine results. The document body, though heavily garbled, contains text related to 'exercice grafcet avec corrigé pdf' and references wkhtmltopdf, suggesting a lure to a potentially malicious website. The presence of numerous unknown URLs indicates a broad phishing or SEO poisoning campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://plattsburghdogtraining.com/uploads/1/3/0/3/130324241/130324241.html#exercice+grafcet+avec+corrig%25C3%25A9+pdf
    • http://roguerobotics.net/uploads/1/3/0/9/130969551/c8090d3.pdf
    • http://wandaguojiyulebeiyongwangzhi.br3h.com/uploads/1/3/0/7/130776363/jelalar.pdf
    • http://youveearnedit.net/uploads/1/3/0/5/130544110/3171523.pdf
    • http://amega2u.com/uploads/1/3/1/8/131856247/7d5a50030577ba.pdf
    • http://michagbusiness.com/uploads/1/3/1/4/131408371/72371026e2fc.pdf
    • https://bazaroguj.files.wordpress.com/2020/06/bowivowulumebijegizemes.pdf
    • https://xupidurodofa.files.wordpress.com/2020/06/devafuzimijoroxufi.pdf
    • https://nutuwomopizu.files.wordpress.com/2020/06/50535334135.pdf
    • https://vuzenaw.files.wordpress.com/2020/06/12616835008.pdf
    • https://gozuwej.files.wordpress.com/2020/06/saxopolugit.pdf
    • https://nonifaxaxe.files.wordpress.com/2020/06/masulijuvepukavezafopuv.pdf
    • https://sixawawomexa.files.wordpress.com/2020/06/mebinunukowajaguris.pdf
    • https://pusivogaj.files.wordpress.com/2020/06/laviginazemu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cfbd.bin
1b89cd0a613842fd28fcfc833bdab7ea257a045428400af7a208909e4f7f8713		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFBD 1724 bytes
font_01_sfnt_off0000d844.bin
af92eb89e616834921332f00ac0c0677757c69efce783c21a701ee032dd8397d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD844 13948 bytes
font_02_sfnt_off000103e2.bin
3bb08857b08983a257d5a2052628e18542fd51c8d29f5bbef87ea8b8ace00841		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103E2 16096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.