Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fed3325476f6489…

MALICIOUS

PDF

38.3 KB Created: 2020-03-12 09:28:12 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 71753f9741eba4185b37fbd9ff04721a SHA-1: 051768604a61368d7598998b8c48ffdcd895f6fd SHA-256: 9fed3325476f64898265e7cdc362f7d8d496968640e2872c2216bf9122f86bdf
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, many of which appear to be part of a link farm designed to manipulate search engine results or host malicious content. The embedded document body text, while partially corrupted, contains a reference to an Acer projector and the wkhtmltopdf application, suggesting a potential lure or context for the malicious links. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pranzotruck.com/uploads/1/3/0/4/130488328/130488328.html#acer+projector+h5380bd
    • http://cerecdl.com/uploads/1/3/0/6/130639913/3876889.pdf
    • http://www.publishinginsideout.org/uploads/1/3/0/2/130288447/8939321.pdf
    • http://www.yiechan.com/uploads/1/3/0/4/130483266/gurabaxomor_fuleku_zipuvinitiv.pdf
    • http://runningwithscissors.website/uploads/1/3/0/5/130546354/9967146.pdf
    • http://burlyqclub.com/uploads/1/3/0/7/130775740/tadagaf.pdf
    • http://altomar.art.br/uploads/1/3/0/4/130488583/didudorokab.pdf
    • http://mybuildahome.com/uploads/1/3/0/6/130604433/sonamaxufeniroziv.pdf
    • http://dexinvesment.com/uploads/1/3/0/6/130621402/9956025.pdf
    • http://sdvarietyoutlet.com/uploads/1/3/0/3/130323162/cf6ba5f876e8.pdf
    • http://thepurposeprofessor.com/uploads/1/3/0/4/130489162/fikubir.pdf
    • http://mta-sts.mail.hollandwalks.nl/uploads/1/3/0/6/130639762/zatexu_zorelafemewegi_zeliguxa_tijonu.pdf
    • http://www.mail.wtcgasfieldservices.com/uploads/1/3/0/8/130874009/4989597.pdf
    • http://saramelina.net/uploads/1/3/0/6/130621900/c5dab927c6336.pdf
    • http://nereoww.com/uploads/1/3/0/8/130813033/5453215.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c7e.bin
e3af5f02e8071962cf25c3781a785cb55e0a879b4892aa375370807faf0e146e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C7E 7800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.