Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac3957090c9ea5fa…

MALICIOUS

PDF

51.1 KB Created: 2020-06-04 23:05:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 961f54fe988f1d1cbf4e1422546319b7 SHA-1: 6a65e971cf45ddaef9ae2b8bfd28fe0b04d9a8cb SHA-256: ac3957090c9ea5fa4966895b92fef7c7f85e6a6af9603858a3076c864d89be14
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, many of which appear to be part of a link farm designed to manipulate search engine results or host malicious content. The document body itself contains garbled text but includes references to 'Garmin vivosport release date' and the authoring application 'wkhtmltopdf', suggesting a lure or disguise. The primary intent appears to be directing users to a network of suspicious URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nexgenwork.net/uploads/1/3/0/6/130621450/130621450.html#garmin+vivosport+release+date
    • http://74-123-79-222.mgwnet.com/uploads/1/3/1/4/131482823/teniwonoxipata-newavuxo-potebavove.pdf
    • http://preparedmealstogo.com/uploads/1/3/0/5/130543476/6af54f.pdf
    • http://toriclairedesigns.com/uploads/1/3/1/6/131636644/9875271.pdf
    • http://nexgenwork.net/uploads/1/3/0/6/130621450/terms.html
    • http://nexgenwork.net/uploads/1/3/0/6/130621450/dmca.html
    • http://nexgenwork.net/uploads/1/3/0/6/130621450/policy.html
    • https://muwunonuraw.files.wordpress.com/2020/06/zukakazipedaj.pdf
    • https://mugixunolaka.files.wordpress.com/2020/06/66313198043.pdf
    • https://ruwomobuzut.files.wordpress.com/2020/06/14405274236.pdf
    • https://bifariki.files.wordpress.com/2020/06/salupixa.pdf
    • https://sexobonuva.files.wordpress.com/2020/06/6678639395.pdf
    • https://dotuwapifufe.files.wordpress.com/2020/06/64836400989.pdf
    • https://juderoxer.files.wordpress.com/2020/06/68741750327.pdf
    • https://buzaxobim.files.wordpress.com/2020/06/kadibofexoxoloz.pdf
    • https://betusomoru.files.wordpress.com/2020/06/korarifopilew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00006df8.bin
d4bd6e2a686a35f3e8e6a4112a812763174495b58b393152db4e6264c5f08705		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6DF8 16556 bytes
font_01_sfnt_off00009b36.bin
2f6303d9f930c36ec5e7715c47cd998197c309660b37d5694d13f456a66ec0f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B36 10004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.