Malicious PDF — malware analysis report

Static analysis result for SHA-256 944df2eb74c72e9f…

MALICIOUS

PDF

49.2 KB Created: 2020-04-15 08:07:53 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5e3acbc798f4d47126b198080bb7c3df SHA-1: 285382fef823924dfada598ab1bbabb583cb0be3 SHA-256: 944df2eb74c72e9fe2a6c3ae71f99c6ce86e7addd464eb50f6e1ed175b64dcfe
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a technique often used for SEO spam or to direct users to malicious websites. The document body, though heavily obfuscated, contains references to 'Montserrat extra bold font free' and the authoring application 'wkhtmltopdf', suggesting a lure to download a font or related resource. The primary heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, with the first identified link being http://africaservantleader.org/uploads/1/3/0/5/130588809/zufurulapodajul-luwenamufisi-dafezeranusef-sabasunafiz.pdf. This pattern suggests the document's purpose is to drive traffic to these external sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://secauto.org/uploads/1/3/0/8/130873820/130873820.html#montserrat+extra+bold+font+free
    • http://africaservantleader.org/uploads/1/3/0/5/130588809/zufurulapodajul-luwenamufisi-dafezeranusef-sabasunafiz.pdf
    • http://celesteliversidge.com/uploads/1/3/0/2/130289746/8834222.pdf
    • http://ledgertax.com/uploads/1/3/0/7/130775087/2298074.pdf
    • http://kenoshamedia.com/uploads/1/3/1/0/131070329/lerugovozo.pdf
    • http://netimebank.org/uploads/1/3/0/4/130435784/rosuvomebopa-sunalujaxu-fejuxez-patukejawana.pdf
    • http://mayloussoulfood.com/uploads/1/3/0/6/130604769/volorokuronob-tusaxotejegad-wojejadak-vuxiv.pdf
    • http://zensuiteseattle.com/uploads/1/3/0/4/130476263/piselodijux.pdf
    • http://aday-late.com/uploads/1/3/0/8/130873786/7108683.pdf
    • http://vietthaiessex.com/uploads/1/3/0/5/130543472/7211186.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006469.bin
b5049b239e6d85a975f9c482b0e6e29fac04fb0c1120b11473e7f66d9bb9a083		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6469 22900 bytes
font_01_sfnt_off0000a238.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA238 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.