Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b660361ac229add…

MALICIOUS

PDF

40.3 KB Created: 2020-03-07 22:55:33 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 77282f8e2599a38a75887ce485f53de2 SHA-1: df7ace8ad7150d4c5d994a051b452e07ad26355b SHA-256: 9b660361ac229add03c717ec0126daa577dccff55fa613878c1838e9206b53e2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are hosted on domains that appear to be part of a link farm. The document body, though heavily obfuscated, contains references to 'Nrsv catholic study bible' and 'wkhtmltopdf', suggesting a lure to disguise the malicious intent. The primary heuristic 'PDF_SEO_LINK_FARM' indicates a technique to generate numerous links, likely for SEO manipulation or to distribute malware. The embedded URL 'http://gregjiel.com/uploads/1/3/0/5/130588816/130588816.html#nrsv+catholic+study+bible' and the linked PDF 'http://forthejoyofit.org/uploads/1/3/0/5/130551524/e412a6a32b1.pdf' are the most prominent IOCs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gregjiel.com/uploads/1/3/0/5/130588816/130588816.html#nrsv+catholic+study+bible
    • http://forthejoyofit.org/uploads/1/3/0/5/130551524/e412a6a32b1.pdf
    • http://www.ustagepro.com/uploads/1/3/0/8/130814225/zurijumusif.pdf
    • http://the-eternal-sun.com/uploads/1/3/0/2/130270768/ce0ffe73445.pdf
    • http://dns1.saintjosephsculturalcenter.org/uploads/1/3/0/7/130739086/vutugewesumato.pdf
    • http://www.pbmt.com.au/uploads/1/3/0/3/130324011/konizul-tabodameva.pdf
    • http://www.myinfoviews.com/uploads/1/3/0/7/130776065/xidud.pdf
    • http://www.mattressworldcharlotte.com/uploads/1/3/0/7/130738989/5881896.pdf
    • http://getbabyskin.com/uploads/1/3/0/5/130588957/dccd64501.pdf
    • http://oldschoolmechanics.com/uploads/1/3/0/6/130621634/garowazef-binomani-tavapemuwedu.pdf
    • http://alisonyinblog.com/uploads/1/3/0/2/130287883/7276638.pdf
    • http://trinaronsplace.com/uploads/1/3/0/7/130740178/talowademogepowamogo.pdf
    • http://www.georgiacrook.co.uk/uploads/1/3/0/2/130272365/8772589.pdf
    • http://patriots-for-truth.com/uploads/1/3/0/6/130639883/nugilisiguga.pdf
    • http://0205monshop.host/uploads/1/3/0/7/130775725/9860623.pdf
    • http://www.fear-lessnation.com/uploads/1/3/0/6/130639382/1616517.pdf
    • http://simonassi.com/uploads/1/3/0/2/130270796/450ef59d0b.pdf
    • http://threadsbynef.com/uploads/1/3/0/2/130272284/2ac8a0.pdf
    • http://studentshufur.net/uploads/1/3/0/5/130590338/a2c72e20587ec.pdf
    • http://textilespreserved.com/uploads/1/3/0/2/130289240/morutedexefozo.pdf
    • http://stringgeek.org/uploads/1/3/0/7/130776106/pusiziwotalemomuj.pdf
    • http://www.wonderfullymadekitchen.com/uploads/1/3/0/7/130740458/5340993.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007159.bin
1d2423d00d8f67c8117d9795d5af801ac38d76b963af361adbbe3ca98f323e39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7159 8564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.