Malicious PDF — malware analysis report

Static analysis result for SHA-256 904722d254b6b3b7…

MALICIOUS

PDF

35.7 KB Created: 2020-04-11 21:54:34 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4bc1efd358d220f92e00458d464e5d10 SHA-1: c6102123f1e9a738a0fa139f3bed0b4ae52b6249 SHA-256: 904722d254b6b3b70b8c03bd87f13e7d85362cbde8563c63df6a1ed3ac74bfac
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a distribution mechanism for further malicious content. The document body contains garbled text and a reference to 'wkhtmltopdf', indicating it was likely generated programmatically. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://katrinroberts.com/uploads/1/3/0/6/130603841/130603841.html#convertidor+de+litros+a+milimetros+cubicos
    • http://happpyynewyeaar.com/uploads/1/3/0/6/130640069/ed47a03.pdf
    • http://michellekendall.net/uploads/1/3/0/3/130323417/6dfbef978.pdf
    • http://oest.juniortalent.dk/uploads/1/3/0/3/130323532/5670590.pdf
    • http://gdcpros.com/uploads/1/3/0/4/130491599/pesizesuwomus.pdf
    • http://geteam4u.com/uploads/1/3/0/6/130639889/255f54fe5f3a1.pdf
    • http://milesaweigh.com/uploads/1/3/0/7/130776823/2025641.pdf
    • http://inspired2eatright.com/uploads/1/3/0/4/130435893/pobojorapo.pdf
    • http://ajsprepschool.com/uploads/1/3/0/5/130590594/1262823.pdf
    • http://channingladden.com/uploads/1/3/0/5/130541313/4761397.pdf
    • http://giftabilitiesinc.com/uploads/1/3/0/9/130968943/duwatimora_satik.pdf
    • http://schoolstreetspeech.com/uploads/1/3/0/7/130739661/xewutotudenamevapela.pdf
    • http://www.hyoyemorrisseyart.com/uploads/1/3/0/7/130738696/tejozowob.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000657a.bin
54403faf69dd8a775b1a2494f80ed44823aeed403a7acf8a266ecab9b9aab0cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x657A 7852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.