Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0acc861fe693b3f…

MALICIOUS

PDF

35.5 KB Created: 2020-06-09 02:31:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b5eb8e3eb781240238246b843c43a1f SHA-1: 7381d985ad0c0c0e5f98509b28c02d7c435620bd SHA-256: b0acc861fe693b3f2b210bfba1e7cfae520f4ffbc39bff21cce49f42970a304c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, many of which point to other PDF files hosted on various domains. This pattern is indicative of a link farm or SEO abuse technique, often used to distribute malicious content or generate traffic. The document body itself contains garbled text and the application name 'wkhtmltopdf', suggesting it was programmatically generated. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cardiffbangladeshisociety.com/uploads/1/3/0/5/130540197/130540197.html#ejercicios+matematicos+para+ni%25C3%25B1os+de
    • http://masonfarmersmarket.net/uploads/1/3/0/5/130550711/loxujewawo_dafaxugoj.pdf
    • http://arizonahomebuyingcenter.com/uploads/1/3/0/3/130379351/4270084.pdf
    • http://raulrosasound.com/uploads/1/3/0/3/130324419/3639613.pdf
    • http://doustideas.com.au/uploads/1/3/0/5/130543569/8449368.pdf
    • http://teabosscafe.com/uploads/1/3/0/8/130814258/vasaraka.pdf
    • http://chuckwilliams.us/uploads/1/3/0/6/130604093/dokivol-poroguzotinoj-wupizamove-xiribupezux.pdf
    • http://lepevents.com/uploads/1/3/0/6/130620279/2968852.pdf
    • http://adivasdreamjewelry.store/uploads/1/3/0/6/130604273/167068.pdf
    • http://appllancepro.com/uploads/1/3/0/7/130738662/mabefaruxagigasakaso.pdf
    • http://vapevisions.com/uploads/1/3/0/3/130323581/vemoweg-zaronixigimimow-nejibulu.pdf
    • https://tofosigon.files.wordpress.com/2020/06/gakonenex.pdf
    • https://biwexuximo.files.wordpress.com/2020/06/tezotix.pdf
    • https://xodugunoku.files.wordpress.com/2020/06/36484409039.pdf
    • https://dinijomerawo471198499.files.wordpress.com/2020/06/gawudemomusabazo.pdf
    • https://sumexarit.files.wordpress.com/2020/06/20335506451.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d00.bin
ea0e695e4b643e1fc4201668202cb3b3f5ffa7837b9b6161f6844a3558d20028		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D00 10968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.