Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c6b62b0449ea5d1…

MALICIOUS

PDF

50.3 KB Created: 2020-04-22 02:32:47 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4e99561d3674486fdddef60f34a565e6 SHA-1: 72555c841c2d6dbf08e590df04746a190953ec3f SHA-256: 8c6b62b0449ea5d1d701b1ae4e29a1af2730300455cab3b9cbcc0f93ca8de1e9
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The document body, though partially corrupted, contains text related to 'Surah al quran 30 juz pdf' and mentions wkhtmltopdf, suggesting a lure to disguise the malicious intent. The primary heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, with 'babysewfancy.com' being a dominant host, pointing towards a link farm strategy. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gmchamberpatrons.com/uploads/1/3/0/8/130814070/130814070.html#surah+al+quran+30+juz+pdf
    • http://babysewfancy.com/uploads/1/3/1/3/131381480/wibizotivumoxi_petosa_benetorawamibil_fanidi.pdf
    • http://carinasanchez.net/uploads/1/3/1/3/131378779/4956992.pdf
    • http://lightonwatertcm.com/uploads/1/3/0/7/130776503/8793288.pdf
    • http://lakehousemanager.com/uploads/1/3/1/4/131453989/lijewajozanopefi.pdf
    • http://highdesertrecords.shop/uploads/1/3/1/4/131406270/pijopusetin.pdf
    • http://abacobahamashurricanerelief.org/uploads/1/3/0/4/130475938/fa49f3645c59739.pdf
    • http://michellejestersite.com/uploads/1/3/0/6/130621214/21ea8bcae955b.pdf
    • http://traversebaypainting.com/uploads/1/3/0/7/130775078/lubumorupadaj.pdf
    • http://oldlystrainn.net/uploads/1/3/0/6/130620343/tuwusuletisezopomofa.pdf
    • http://notimeformean.org/uploads/1/3/1/4/131437726/7795973.pdf
    • http://commercialcompliance.com/uploads/1/3/1/3/131398385/mikofibojiroboxu.pdf
    • http://babyfreebies2020.com/uploads/1/3/1/3/131379198/1881995.pdf
    • http://millerfamilylawn.com/uploads/1/3/0/8/130814534/5f7fbc735.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d48.bin
505cf0db925ed2721da6575ac8e0d0396ec97c04e399436270c54b23acbbbf23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D48 8168 bytes
font_01_sfnt_off00009d10.bin
62d5f05a3261ff6e7469f9bc5037b65ed67450f46d75c1603045ae55d9ab4b4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D10 2876 bytes
font_02_sfnt_off0000a70a.bin
2f79ba52acca039e5c354f09c372eb8b3e5c303dfc88b98fa2ec462876c681ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA70A 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.