Malicious PDF — malware analysis report

Static analysis result for SHA-256 f198704c18e59726…

MALICIOUS

PDF

37.4 KB Created: 2020-06-16 23:42:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6d32ff12f5f99ded6661a341bcdafaef SHA-1: fc0038e679682465c28f0805bc67fe22ed539ece SHA-256: f198704c18e597265daa27355215643646726d4c652ae908a1b9330fd5ea4074
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to SEO-optimized PDF pages. This suggests a link farm or traffic-generation scheme. The document body contains text related to 'Rewriting sentences worksheet' and metadata indicating it was generated by wkhtmltopdf, which is often used to create PDFs from web content. The primary attack pattern involves directing users to a network of potentially malicious or ad-filled websites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://huangguanwangzuqiutouzhukaihu.br3h.com/uploads/1/3/0/8/130813496/130813496.html#rewriting+sentences+worksheet
    • http://mail.estellessweetitchblankets.com/uploads/1/3/0/6/130621209/gifafawofalo_waluzerazadejow_fajizovupukute_bavanalepuwiv.pdf
    • http://contagiouspositivity.com/uploads/1/3/0/3/130323229/kazegaxopew_sufazifulo_tigedosu_lurikip.pdf
    • http://robertjohnsonpainting.com/uploads/1/3/1/3/131384070/d6ed266a368602.pdf
    • http://pokeplug.net/uploads/1/3/0/7/130739597/7e1b8.pdf
    • http://shift-coach.com/uploads/1/3/0/9/130969383/purudexur_sebetapu_nijogipejez_rudimelewop.pdf
    • http://jacintaprice.com/uploads/1/3/0/5/130539987/8062679.pdf
    • http://mail.crushthemarket.com/uploads/1/3/0/2/130289189/933c2575bdacd7f.pdf
    • http://bocaiyizucangjitu.br3h.com/uploads/1/3/0/8/130813403/bobotezomi_fumajakeroxijo_gigatirokazufup_dasasivurezitop.pdf
    • http://nortaris.com/uploads/1/3/1/4/131454683/zawolipitanaroku.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005708.bin
8763794d315a2f1decdd12f0842e896032bc73d3fc04cd3bb25499d20e1b9b8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5708 4768 bytes
font_01_sfnt_off0000674c.bin
8b2a5bd4bc33ad0c6b78f364f3a2295c31f1e84eaf3a7c16593392ca11336000		 pdf-font-stream PDF embedded font (sfnt) at offset 0x674C 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.