Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cce88b52a09f3ff…

MALICIOUS

PDF

43.7 KB Created: 2020-03-26 01:39:29 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4abdaa5bf650132324ed6dc695a2db07 SHA-1: b6510bd4d1f5f212dadaf0573de64da45db68cad SHA-256: 9cce88b52a09f3ff4e5a2cac35c003fdf575b63f586db59410015309dedeb071
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO spam or to redirect users to malicious sites. The document body, though partially corrupted, contains text related to 'Psicologia y mente frases de amor' and metadata indicating it was generated by wkhtmltopdf, suggesting a lure to drive traffic to the linked URLs. The primary heuristic 'PDF_SEO_LINK_FARM' strongly indicates this malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://angelwellness.net/uploads/1/3/0/5/130543276/130543276.html#psicologia+y+mente+frases+de+amor
    • http://lloydsbarbershop1.com/uploads/1/3/1/0/131070861/modedaxerebibej.pdf
    • http://www.gothamemt.com/uploads/1/3/0/7/130739656/fozidoj.pdf
    • http://hiung.net/uploads/1/3/0/2/130291689/vagirag.pdf
    • http://www.californians-care.com/uploads/1/3/0/6/130604597/acff382c692.pdf
    • http://nailsbyrose.nl/uploads/1/3/0/7/130775746/0c5cb5a.pdf
    • http://guidecounselor.com/uploads/1/3/0/2/130292143/b164516ba3d3.pdf
    • http://nandamay.com/uploads/1/3/0/4/130483163/vomeludavaxu_betoboduvotot_dopusawiripinom.pdf
    • http://1800fundesk.com/uploads/1/3/0/7/130776428/1cb43b9998bcbe.pdf
    • http://mta-sts.shirehistory.org/uploads/1/3/0/5/130543648/gifawozagapigovodal.pdf
    • http://webmail.bentleyulrich.com/uploads/1/3/0/6/130620371/9723980.pdf
    • http://www.stilwellsons.com/uploads/1/3/0/6/130605517/wovakuxi.pdf
    • http://spencerbarnor.com/uploads/1/3/0/2/130288629/9a3fe56f46f7b9.pdf
    • http://a-tinysdemolition.com/uploads/1/3/0/2/130288397/772115.pdf
    • http://www.thefruitofthespirit.org/uploads/1/3/0/5/130588607/2630699.pdf
    • http://pluralform.se/uploads/1/3/0/2/130289301/c0a2862cc0f.pdf
    • http://alverich.org/uploads/1/3/0/7/130739150/3747262.pdf
    • http://www.venessadrodriguez.com/uploads/1/3/0/5/130539305/vukonuzugok.pdf
    • http://sweetsavorysouthern.com/uploads/1/3/0/2/130271154/gomudariwiwarirumoze.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007f21.bin
f46761e078e98c67aea58fc0153fbb17c6234c723997801ce461e75185720766		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F21 9124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.