Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbb727ea3ecb41b8…

MALICIOUS

PDF

30.4 KB Created: 2020-06-06 00:26:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 5916654ce767b3c3d4a35428e25f1fca SHA-1: 5030a839b4964ad68e009af5a2f1f178edba36de SHA-256: dbb727ea3ecb41b88d408efbe961ffffe1b87d6ad3a990e21ac47d7ba062ec2e
62 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Stage Capabilities: Gather Victim Identity Information T1204 User Execution: Malicious Link

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though partially corrupted, includes text related to coloring pages and metadata indicating it was generated by wkhtmltopdf, suggesting a potential lure. The primary attack pattern involves directing users to a farm of external PDF files hosted on various domains, which is a common tactic for SEO manipulation or distributing further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qcmaine.com/uploads/1/3/0/6/130604878/130604878.html#desenho+de+janelas+para+colorir
    • http://sculptedforest.com/uploads/1/3/0/5/130542865/e25274741.pdf
    • http://mta-sts.communitybldg.net/uploads/1/3/0/8/130813896/ravikurogu.pdf
    • http://cbsarquitectos.com/uploads/1/3/0/5/130589302/polozeranitobexa.pdf
    • http://gaymeonhaters.com/uploads/1/3/0/6/130604888/vivesubifelasowe.pdf
    • http://blackkkkkk.com/uploads/1/3/0/5/130588484/genesiwavegaromatu.pdf
    • http://qcmaine.com/uploads/1/3/0/6/130604878/terms.html
    • http://qcmaine.com/uploads/1/3/0/6/130604878/dmca.html
    • http://qcmaine.com/uploads/1/3/0/6/130604878/policy.html
    • https://bovisomomexa.files.wordpress.com/2020/06/sewetexuk.pdf
    • https://diwunibe.files.wordpress.com/2020/06/liwudutukupemanuxivijo.pdf
    • https://segemabo.files.wordpress.com/2020/06/86297644804.pdf
    • https://rifipefat.files.wordpress.com/2020/06/23184495023.pdf
    • https://mekerug368181460.files.wordpress.com/2020/06/duvomenumusovifimepinuba.pdf
    • https://mukagalezep.files.wordpress.com/2020/06/54094213811.pdf
    • https://jakuwil.files.wordpress.com/2020/06/57913452722.pdf
    • https://vezegez.files.wordpress.com/2020/06/zapamejizolidowofuxesedo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c0a.bin
7f2b0983de966396e8e6942de463e335367b87364d9340d10d2654d0a6d8d595		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C0A 10612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.