Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1ab6b892e2d21d5…

MALICIOUS

PDF

35.8 KB Created: 2020-03-22 13:47:17 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 74f33e2c27161c780e534cf491003a95 SHA-1: 89a3ea626c5274e9eb6750e24c78e297fef629a8 SHA-256: a1ab6b892e2d21d5659861c420b7af2b8e61ac3dc8318ebee1e9cc04ae6ec263
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified as a PDF SEO link farm. The primary URL points to a page that includes keywords like 'kidkraft pastel kitchen ireland', suggesting a lure. The heuristic firings indicate the document's purpose is to link to numerous other PDF files hosted on various domains, likely to manipulate search engine results or distribute further malicious content. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://globaly.services/uploads/1/3/0/5/130540501/130540501.html#kidkraft+pastel+kitchen+ireland
    • http://houstontxlawoffice.com/uploads/1/3/0/6/130622051/kuvosi.pdf
    • http://cdn-4.visualpatterns.org/uploads/1/3/1/0/131070166/1759a5.pdf
    • http://saintclairstorage.com/uploads/1/3/0/2/130289611/xovav_dasabofufabowij.pdf
    • http://mystarchild.org/uploads/1/3/0/7/130775443/940fa56befab5.pdf
    • http://gfx.directory/uploads/1/3/0/3/130323295/9420750.pdf
    • http://www.barbsplacehome.com/uploads/1/3/0/4/130476062/714c4eb63793a5.pdf
    • http://www.azfairhousing.org/uploads/1/3/0/6/130640078/8969264.pdf
    • http://beautifulpinkk.com/uploads/1/3/0/6/130603811/wupapepam-dibimixadineb.pdf
    • http://gramajeayora.com/uploads/1/3/0/5/130550881/loruxuviloxanadoxavu.pdf
    • http://woodenbrightness.com/uploads/1/3/0/8/130874403/5933422e.pdf
    • http://www.woodturningbydesign.com/uploads/1/3/0/3/130379096/ruminovigala_bodufotaj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006099.bin
5239677f33c58bedeba049df737ce8970e2aa6edb7fb47a3043a02294487042c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6099 8236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.