Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1b5bc6571575227…

MALICIOUS

PDF

77.4 KB Created: 2020-04-01 17:15:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 95b592040b13b9782753d541dc41d1e8 SHA-1: 6c4c92a8a53f1552df22255dcab9ecab93498ac1 SHA-256: e1b5bc65715752275dae1261fa0c7a761bde96dd25230d8405d4a7cc3ca1154e
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body contains text related to 'Tiempo de incubacion el sida' and metadata indicating it was generated by wkhtmltopdf. The primary attack pattern appears to be a link farm designed to drive traffic to potentially malicious or SEO-manipulated content. No scripts were extracted, limiting the ability to determine further payload delivery or execution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://clucktruckportland.com/uploads/1/3/1/1/131164278/131164278.html#tiempo+de+incubacion+el+sida
    • http://electric-engine-generator.com/uploads/1/3/0/7/130739309/sokeboboxavef.pdf
    • http://fbavideos.com/uploads/1/3/0/3/130323311/potiranuzan.pdf
    • http://paradisetransport.net/uploads/1/3/0/9/130969623/donuxiviwunano.pdf
    • http://ladiligence.org/uploads/1/3/0/7/130740504/bapimiposiraxa.pdf
    • http://daniellambert.net/uploads/1/3/0/5/130589195/jexivadapamum-zatopekosaka.pdf
    • http://painfreeretreats.com/uploads/1/3/0/4/130436173/neromuni-nelak-sovizufididom.pdf
    • http://transatlanticwoundcare.com/uploads/1/3/0/5/130551176/ranuwusupetezajukus.pdf
    • http://retailrewind.com/uploads/1/3/0/6/130605125/semodupuxuzomeminut.pdf
    • http://5veast.com/uploads/1/3/0/3/130324351/nulaximipuped-vezaxegawulimu-famipiponuso.pdf
    • http://kingmeministries.com/uploads/1/3/0/9/130969774/8ea9bcd6682.pdf
    • http://www.hawkwelldrilling.com/uploads/1/3/1/1/131163507/56e930.pdf
    • http://tinyopz.net/uploads/1/3/0/5/130543190/5904413.pdf
    • http://ultrachiropracticandrehab.com/uploads/1/3/0/5/130589137/04e8d.pdf
    • http://ginoscreativecooking.com/uploads/1/3/1/3/131378921/6150932.pdf
    • http://moreaction.co/uploads/1/3/0/2/130288864/d2c6c85d85fe24.pdf
    • http://dragonroccacademy.org/uploads/1/3/0/5/130590475/dunepa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000104ad.bin
acbf71b5822ed70de86b7d30feb3bc08024f7b5d22fa98a375cbe80c73201db4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104AD 9408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.