Malicious PDF — malware analysis report

Static analysis result for SHA-256 abdc0ccfadeed78c…

MALICIOUS

PDF

44.0 KB Created: 2020-03-30 02:32:07 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5b742b96e00005d1cff58fa040a9f9d9 SHA-1: c3d4e636a866370a8ded8aeddec5620a18ccd120 SHA-256: abdc0ccfadeed78ccb2d352176652f26878db1110a7ba3c3f653c0aab2fc5027
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are dynamically generated and point to domains that appear to be part of a link farm. The document body, though heavily obfuscated, contains references to 'Stihl fs 45 manual pdf' and 'wkhtmltopdf', suggesting a lure to disguise the malicious intent. The primary attack pattern involves redirecting users to these external URLs, likely for further exploitation or phishing.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aldensuites.devsite-1.com/uploads/1/3/0/5/130545827/130545827.html#stihl+fs+45+manual+pdf
    • http://madisonsoundhealing.com/uploads/1/3/0/5/130588427/fukekudivola.pdf
    • http://whydonate.in/uploads/1/3/0/4/130488469/rarisosowada-damivononedukas-zagewusukedodib-lexejarejenifak.pdf
    • http://b2ngardencenter.com/uploads/1/3/0/7/130739164/giburevaraviroke.pdf
    • http://gaytherapy.net/uploads/1/3/1/3/131383717/9678104.pdf
    • http://fortworthcef.org/uploads/1/3/0/5/130545957/merezurikibololuvi.pdf
    • http://garyzancanelli3.com/uploads/1/3/1/0/131069744/rebejorewabor.pdf
    • http://www.apccrc.net/uploads/1/3/0/8/130873872/28609de.pdf
    • http://thrifty-teacher.com/uploads/1/3/0/4/130488158/1073480.pdf
    • http://carliebryantdesigns.com/uploads/1/3/0/6/130604321/magawuxalolaje.pdf
    • http://malagakw.com/uploads/1/3/0/8/130874670/b1fdb5f.pdf
    • http://bolcar.com/uploads/1/3/0/5/130542964/porexifoneb-jewugejij-panibabaxinal-wunopazazalitew.pdf
    • http://nanaspizzapr.com/uploads/1/3/0/6/130640090/dumigasun.pdf
    • http://tranquilityhilllodge.com/uploads/1/3/0/9/130969148/5194a3a.pdf
    • http://hauntband.net/uploads/1/3/0/5/130551330/jepazinowodawuv-gobawiverexesa-davanidewuzugi-tinug.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008226.bin
ff8c68d593c104c5dfe1ce7ec060ebf40c97830b63657907306ed310106a367c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8226 8084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.