Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccde41748b9f8cca…

MALICIOUS

PDF

55.6 KB Created: 2020-03-25 04:31:15 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: feec7142a0d5e2edd6d197621c7bb470 SHA-1: 3d58a6495aaafc1d18783010d3aa51a095def59e SHA-256: ccde41748b9f8ccade2ec6385789947bc6096d4c1509e560d5ff76a5e3abbd57
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, a common technique for SEO spam or phishing campaigns. The document body, though heavily obfuscated, contains references to 'Substructure and superstructure bridge' and the wkhtmltopdf tool, suggesting a lure to technical content. The embedded links point to various domains, all structured similarly, indicating a coordinated effort to redirect users. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://smokin.tires/uploads/1/3/0/8/130813738/130813738.html#substructure+and+superstructure+bridge
    • http://marieandreehoude.ca/uploads/1/3/0/7/130776336/2374657.pdf
    • http://alternative-vaping.com/uploads/1/3/0/5/130590661/vigozopedevukotar.pdf
    • http://wemisstheearth.org/uploads/1/3/0/3/130323596/jafixilerosimi_pifamupuzuled.pdf
    • http://proschconsulting.com/uploads/1/3/0/5/130590777/3181294.pdf
    • http://cpanel.filmscan.com.au/uploads/1/3/0/9/130969471/kirofovidome.pdf
    • http://www.skypelovers.net/uploads/1/3/0/5/130545173/jaridekumebufox.pdf
    • http://carlydairy.com/uploads/1/3/0/7/130738578/dotuzudufozemov.pdf
    • http://csuitecommando.com/uploads/1/3/0/5/130538891/togiperukerelozuw.pdf
    • http://hostmaster.duckinn.co.uk/uploads/1/3/0/6/130621709/b320da6c07.pdf
    • http://www.aromasbakerycafe.com/uploads/1/3/0/5/130588579/kadigereluw.pdf
    • http://suzannebowen.com/uploads/1/3/0/7/130775130/raduf.pdf
    • http://strategicmotionvideo.us/uploads/1/3/0/6/130605403/fopozafuvulavurim.pdf
    • http://supplychaingroup.biz/uploads/1/3/0/6/130620506/lonafuxes.pdf
    • http://webmail.atomant.com.au/uploads/1/3/0/6/130640097/togotesoluwo.pdf
    • http://theloveshanghai.com/uploads/1/3/0/4/130435943/6ee545b7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b06b.bin
586e62f6cdf8a0910a6022a823da5997b35e995fab33f1effa30577fa4b6d7fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB06B 8440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.