Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1b9952536542338…

MALICIOUS

PDF

127.9 KB Created: 2020-03-30 01:11:16 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4ac5092755f42bfa398039f23cafcb9e SHA-1: 180025ddaf70e6a971c919c6cef12f8fbb5a978c SHA-256: a1b9952536542338c495fa70756f6efbb4700c125f9dc9dcda249046ef3cfde1
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to similarly structured URLs on different domains. The document body, though heavily obfuscated, contains a reference to 'Macbeth quotes with line numbers' and the authoring application 'wkhtmltopdf', suggesting a lure to disguise the malicious intent. The primary heuristic 'PDF_SEO_LINK_FARM' indicates a technique used to artificially inflate search engine rankings or distribute malicious content through a large number of links. The embedded URLs likely serve as landing pages for phishing or further malware delivery.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-72-68.mgwnet.com/uploads/1/3/0/7/130739916/130739916.html#macbeth+quotes+with+line+numbers
    • http://junecosmetics.co/uploads/1/3/0/4/130483519/welizesi.pdf
    • http://novamedia.dk/uploads/1/3/0/8/130813658/rekem.pdf
    • http://iron2ironwellness.com/uploads/1/3/0/2/130288932/bitolusapuj.pdf
    • http://jachuberman.com/uploads/1/3/0/6/130604613/67dcb.pdf
    • http://sagebrushvet.com/uploads/1/3/0/4/130490665/2ccdd435de2642.pdf
    • http://coloursmobilespa.com/uploads/1/3/1/3/131384539/geteditaxo_xukexedamifudib_fifebawezokuba_jejevozobu.pdf
    • http://creativegracejourney.com/uploads/1/3/0/4/130494059/4940829.pdf
    • http://dvecchiodesign.com/uploads/1/3/0/5/130545816/128d7.pdf
    • http://rebuildyourworld.org/uploads/1/3/0/4/130483200/sugijilixoxunuvewiba.pdf
    • http://roanokedentalcare.net/uploads/1/3/0/6/130639616/3036178.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off0001a6ee.bin
d1aa201b50d0a8d22bb463bcbe2e62d5d15aaa16eb5a70e97886aa2ea9aa9631		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A6EE 38492 bytes
font_00_sfnt_off00016f2f.bin
2dbb2b235096bdec5e14920ca2759daf3aaf32222e73613051b991e370e3951d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F2F 15464 bytes
font_01_sfnt_off00019dd0.bin
87fd6b1a35a64f5c2d30902eea89631a9c05d6b36ef70c6d0cee4d2ad867525e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19DD0 2596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.