Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6832d1ee76f924a…

MALICIOUS

PDF

59.8 KB Created: 2020-06-17 04:10:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7d3d36ae058df7afd652ff2047d384a6 SHA-1: fc0023dda0f9ad5963f98be5b823b4dcf3c054bb SHA-256: a6832d1ee76f924aadd91c4d03ac0bcd2b55a8b3edfaf5cc3112a13dde1165d1
62 Risk Score

Malware Insights

MITRE ATT&CK
T1598 External Remote Services T1204 User Execution T1059 Command and Scripting Interpreter

The PDF file contains a large number of external links, many of which point to other PDF files on unrelated domains. This behavior is indicative of a link farm, likely used for SEO manipulation or to distribute malicious payloads. The primary heuristic 'PDF_SEO_LINK_FARM' strongly suggests this malicious intent. No scripts were extracted, and the document body is heavily obfuscated, making it difficult to determine a more specific attack pattern or family.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thefishvan.com/uploads/1/3/0/5/130540240/130540240.html#works+cited+guide
    • http://21a.undesirable.us/uploads/1/3/1/4/131454899/6176062.pdf
    • http://hagarsadan.com/uploads/1/3/0/4/130476483/7898684.pdf
    • http://jana-cooper-jewelry.com/uploads/1/3/1/4/131409526/1e327.pdf
    • http://completecarpetrecovery.com/uploads/1/3/0/2/130289254/rafovulo_badovigaxigirak_jobesokidixapob.pdf
    • http://kidscook4acause.org/uploads/1/3/0/5/130589384/a89032b854.pdf
    • http://doubleheartsoapcompany.com/uploads/1/3/0/3/130312952/2612be8f6ac7.pdf
    • http://worldheartsfairtrade.net/uploads/1/3/0/2/130272603/bewud_nowikub_lefog.pdf
    • http://mail.visualconceptspsg.com/uploads/1/3/1/4/131438055/7969619.pdf
    • http://mnhomeinteriors.com/uploads/1/3/1/3/131384400/33112d94.pdf
    • http://paccaroindustries.com/uploads/1/3/0/4/130475909/metizud-dokigimulefubup-jezovedul-wadaxa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000aad7.bin
0c9ce7168e26d327b50c1c1a4c13fbe83b942058039135dfe85c2215ed82ad62		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAAD7 4720 bytes
font_01_sfnt_off0000bb0a.bin
d76d41eb48bc4764a4cd799d62c802f08ba650b845c414bf53c25e2f98f4f769		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBB0A 11400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.