Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa9d4447593a6d82…

MALICIOUS

PDF

39.7 KB Created: 2020-04-09 21:21:09 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3c334a8a11c121d77680c95877d22672 SHA-1: 5e87e601985c76473c77b95abd3b309bc04e4649 SHA-256: aa9d4447593a6d82aaa27a5e652f538648313aefff4cb66e6d3bb07a382a42f6
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links pointing to various domains, a technique often used for SEO link farming. The primary heuristic indicates a 'PDF_SEO_LINK_FARM' with a dominant host of 'votefortv.com', suggesting a coordinated effort to manipulate search engine rankings. The document body, though partially corrupted, contains a title related to trigonometric functions and references to wkhtmltopdf, indicating it was likely generated programmatically. The embedded URLs are the main indicators of malicious activity, likely serving as lures or redirects to further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://boostioboosts.com/uploads/1/3/1/4/131454383/131454383.html#funciones+trigonometricas+de+angulos+agudos
    • http://votefortv.com/uploads/1/3/0/2/130289305/sogaf_zopuf_buxux.pdf
    • http://handstosounds.com/uploads/1/3/0/5/130589299/5200464.pdf
    • http://4wardthinkconsult.com/uploads/1/3/0/5/130588692/teruxezarobosa.pdf
    • http://happyhealthyhunny.com/uploads/1/3/1/1/131164366/5720845.pdf
    • http://changraphics.com/uploads/1/3/0/9/130969816/pulodufazev.pdf
    • http://xiuyuanchenonline.com/uploads/1/3/0/8/130814605/7528353de.pdf
    • http://katrinasimon-agolory.com/uploads/1/3/0/7/130739742/zamigipuviwu.pdf
    • http://joeldoodles.com/uploads/1/3/0/3/130379143/6339775.pdf
    • http://whenpigsflynakedcalifornia.com/uploads/1/3/1/0/131069753/a8503362a.pdf
    • http://westernjules.com/uploads/1/3/0/2/130271148/foxoxokuxoxu.pdf
    • http://minnesotalashextensions.com/uploads/1/3/0/6/130620195/634828.pdf
    • http://viperfishmedia.com/uploads/1/3/1/4/131438680/c20c53dd1c0.pdf
    • http://firstleadyou.com/uploads/1/3/1/3/131383562/vikejeliv_zopizixo_vaxosegi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000662a.bin
9852171df5b77ccf21c07d3cec92f3e155cef4b4e8be8e35f8d270d1a97a8735		 pdf-font-stream PDF embedded font (sfnt) at offset 0x662A 8412 bytes
font_01_sfnt_off0000853f.bin
4d9ec2aec8f1ca6bebe1b56492fd55a77bba3a6e98efb76508c1b835d4eb9912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x853F 2860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.