PDF malware analysis — malicious · b371aec2bdceb353

MALICIOUS

PDF

63.9 KB Created: 2020-03-10 06:38:14 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 6151831ca7e48754bb0664eb968e90aa SHA-1: 160260daca02eefac32c3df45fc0b99c84fa9cf1 SHA-256: b371aec2bdceb3533967de3f0e47e0ea1021c3a2406f53dd1d1251e9ecf10327

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO manipulation or to distribute malicious content. The primary heuristic identified a link farm with 30 external PDF links, suggesting a coordinated effort to host or redirect to potentially harmful files. The document body contains garbled text and metadata from wkhtmltopdf, indicating it was likely generated programmatically rather than being a user-facing document.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://a1209599xstreamtravel.xsideas.com/uploads/1/3/0/7/130776521/130776521.html#aplastic+anemia+survival+rate+age
- http://salinaseminarseries.com/uploads/1/3/0/6/130639590/redak.pdf
- http://delegationband.com/uploads/1/3/0/8/130813738/18cf000c458e0d.pdf
- http://toneboxdigital.com/uploads/1/3/0/5/130551805/misopanuwiwedar.pdf
- http://lianacassar.org/uploads/1/3/0/5/130590687/gawudip.pdf
- http://wickedkandles.com/uploads/1/3/0/6/130604127/6067015.pdf
- http://garbervillerodeo.org/uploads/1/3/0/6/130620968/9990566.pdf
- http://everythingessentialblog.com/uploads/1/3/0/7/130739697/9072516.pdf
- http://www.rockwoodreadings.com/uploads/1/3/0/3/130323335/nuporexuk.pdf
- http://bestcollegefootballplayoff.com/uploads/1/3/0/4/130488699/mutasavilubesax.pdf
- http://chloecustomcollections.com/uploads/1/3/0/2/130289246/zufabegizani-xereniwi.pdf
- http://eis-breeding.com/uploads/1/3/0/8/130814714/29fa4c71912.pdf
- http://www.tricountyofficespace.com/uploads/1/3/0/6/130605240/denoregejosimo.pdf
- http://daveformaine.org/uploads/1/3/0/7/130776865/jujitire.pdf
- http://asleepwalkersguide.com/uploads/1/3/0/8/130814596/fabedesokoxejegom.pdf
- http://ppas2020.com/uploads/1/3/0/6/130605389/ribonuzu_zedajofi_tolemuwaxives.pdf
- http://krazyketomom.com/uploads/1/3/0/6/130640029/b86409e23e2544.pdf
- http://tiered-educational-consulting.com/uploads/1/3/0/2/130270836/f8b9115.pdf
- http://eehenry.com/uploads/1/3/0/3/130313149/liverakejuzode_kulugiluwi.pdf
- http://www.johnnyraygibbsactor.com/uploads/1/3/0/7/130739445/zazolokubap_ruzipedi_xureranuwamagap.pdf
- http://www.topthreespots.com/uploads/1/3/0/9/130969034/rinozubujilan.pdf
- http://mail.kwb-vlaanderen.be/uploads/1/3/0/7/130739525/8958623.pdf
- http://mail.emilyyearsley.co.uk/uploads/1/3/0/7/130776228/c8789a987.pdf
- http://littlehouseonthegrid.net/uploads/1/3/0/4/130478868/57043e099442862.pdf
- http://www.usabeachtour.org/uploads/1/3/0/9/130969434/2586264.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000d069.bin` `efba1a24dd13018d5ad44ca4fdcee43312f2fab3d19b8971818c370c6a7d6b14`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD069	8184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.