Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2d4d6ff0b6de728…

MALICIOUS

PDF

37.5 KB Created: 2020-03-31 03:23:49 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 830f3412d0a6d12b573946970cac7cb7 SHA-1: 6f11b364e4b302d187eb6002feca96726d2b9358 SHA-256: a2d4d6ff0b6de7283fda2f55ca87035ebb1c8e54c4b4730f4c9a3875af7f3619
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many pointing to similarly structured URLs on different domains, indicating a link farm or SEO spam operation. The document body mentions 'freight train tabs pdf' and includes metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDFs for SEO purposes. The presence of a 'download button' heuristic further supports the lure tactic. No scripts were extracted, limiting the analysis of direct payload delivery.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://julianthology.com/uploads/1/3/1/4/131437980/131437980.html#freight+train+tabs+pdf
    • http://mrsbordelon.com/uploads/1/3/0/9/130969042/difumezinupolulimitu.pdf
    • http://pandasalliance.org/uploads/1/3/0/5/130548070/guvavonigipopipa.pdf
    • http://modernmoroni.org/uploads/1/3/0/6/130620998/kugozixaripus.pdf
    • http://lopespintura.com/uploads/1/3/0/8/130873801/3260738.pdf
    • http://channelthestar.com/uploads/1/3/0/5/130551115/874449.pdf
    • http://cvillepromovers.com/uploads/1/3/0/3/130324326/zozutuj.pdf
    • http://guadaluperadiohombrenuevoelfraude.com/uploads/1/3/1/1/131164358/551cfda8aa5.pdf
    • http://plainspropertymanagement.com/uploads/1/3/0/9/130969728/wulejuturujewekoner.pdf
    • http://pinkspanails.com/uploads/1/3/0/5/130540788/torubu.pdf
    • http://gabelidigital.com/uploads/1/3/0/5/130540063/989125.pdf
    • http://maureenallenlandscapes.com/uploads/1/3/0/2/130271143/defojonufusen.pdf
    • http://redhotyogastudio.com/uploads/1/3/0/9/130969707/843406b.pdf
    • http://verticalfitness100.com/uploads/1/3/1/3/131380741/8531cea9abf2.pdf
    • http://londonreviewbank.com/uploads/1/3/0/4/130435884/db86c3ea67.pdf
    • http://suntnenorocit245.com/uploads/1/3/0/6/130605075/5307195.pdf
    • http://mail.weinclusive.com.au/uploads/1/3/0/4/130435821/f6cd97.pdf
    • http://adiposesolutions.com/uploads/1/3/0/4/130477040/velafabe.pdf
    • http://arenagorilla.com/uploads/1/3/0/5/130543437/wobeti.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068ec.bin
17fd93b497c429e22c8989a5d70e0d74765024ef92ec61c334ac283d7fa849ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68EC 8260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.