Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6a96b817f45e3d8…

MALICIOUS

PDF

32.9 KB Created: 2020-04-26 19:07:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 879adc1e0ee1d4307fa2040a5eafbf9d SHA-1: c0f3cd70a4f539ad415fc6fa60289a9835560932 SHA-256: a6a96b817f45e3d8032a68725e7b29188e819d9b3c03c67cca7c1048adc60dd3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of external links, many of which are numerically or generically named PDFs hosted on unrelated domains, indicating a link farm or SEO manipulation tactic. The document body mentions 'Brother mfc- j2330dw' and 'wkhtmltopdf', suggesting a lure related to printer information. No scripts were extracted from this sample. The primary attack pattern involves directing users to a network of external sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stator-creative.com/uploads/1/3/1/6/131606890/131606890.html#brother+mfc-+j2330dw
    • http://cslawnmaintenance.com/uploads/1/3/0/7/130775615/63836a56df936a7.pdf
    • http://foreverhemplife.com/uploads/1/3/0/4/130489265/6147526.pdf
    • http://zellawatson.com/uploads/1/3/0/5/130588560/xapusazigogujob-zevoxaponefozij.pdf
    • http://bridgemanagementservicesllc.com/uploads/1/3/1/4/131453316/e6b25.pdf
    • http://godspowerchapel.org/uploads/1/3/1/6/131637311/linosam_valag_dedevinelozamog_lilozasinib.pdf
    • http://shawngibson.ca/uploads/1/3/1/4/131407222/3876402.pdf
    • http://accentbrass.com/uploads/1/3/0/8/130874297/1795311.pdf
    • http://finopticsbi.com/uploads/1/3/0/3/130379297/7aa98e.pdf
    • http://reyamengineering.net/uploads/1/3/1/6/131607131/navurimajimegof-wizidokoxofi-xorunuredixirep-jexix.pdf
    • http://emeraldgreenandwhite.com/uploads/1/3/0/5/130588621/7257179.pdf
    • http://bigbabybitez.com/uploads/1/3/0/8/130814101/lusofa.pdf
    • http://figoensemble.com/uploads/1/3/0/7/130776605/foduxemix.pdf
    • http://leonaraneta.com/uploads/1/3/0/2/130289573/1555098.pdf
    • http://thenewlyqualifiedteacher.com/uploads/1/3/0/2/130272242/vadepusesikinad.pdf
    • http://benchmark-llc.com/uploads/1/3/0/7/130739419/nebeli.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005932.bin
9ef9d5efc6d26dc94adcb55773bc63e22b67a6cb0411bca02fafd5dec9b405ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5932 7852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.