Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b990a1cd92de0a8…

MALICIOUS

PDF

68.9 KB Created: 2020-03-28 08:01:01 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: feff51840ff834ae8d5a3924e106ca56 SHA-1: 829e494b4b69bd86b92da7cec42d6929df821be1 SHA-256: 1b990a1cd92de0a8ae8c6cbfe1c779f2bf4a9c8038aeb9b683538b80f9ae4847
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous external links, a common tactic for SEO poisoning and redirecting users to malicious sites. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document's content is designed to trick users into believing they are entitled to a prize or parcel, requiring them to pay a fee or provide information. The embedded links, such as http://generationhit974.com/uploads/1/3/0/3/130379058/130379058.html#master+public+health+karolinska+institutet, likely lead to further stages of this scam.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://generationhit974.com/uploads/1/3/0/3/130379058/130379058.html#master+public+health+karolinska+institutet
    • http://ashgailmarketing.com/uploads/1/3/0/6/130639835/c26e5710.pdf
    • http://h2openplus.com/uploads/1/3/0/4/130476066/4604908.pdf
    • http://brockbevan.com/uploads/1/3/1/0/131071137/9617709.pdf
    • http://viperfisharts.com/uploads/1/3/0/8/130815228/jewexuxesak-tikivefasefijuk-pofiga-tepesazipin.pdf
    • http://www.macnar.co.uk/uploads/1/3/0/8/130874233/bf5a74.pdf
    • http://hp-leads.com/uploads/1/3/0/7/130775331/pudabisekolufavawot.pdf
    • http://thesouthernsigns.com/uploads/1/3/0/2/130270798/tuferav.pdf
    • http://www.dmuaraonline.com/uploads/1/3/0/2/130271224/9570142.pdf
    • http://bornagainhomesllc.com/uploads/1/3/0/4/130488091/jikudojumebebetu.pdf
    • http://www.stromphoto.com/uploads/1/3/0/4/130436362/zudivotajek-davaw.pdf
    • http://uwewidmann.com/uploads/1/3/0/3/130379204/476784fb3.pdf
    • http://dedicatedanddevoted.com/uploads/1/3/0/4/130476043/gijujuv.pdf
    • http://jaytans.com/uploads/1/3/0/5/130550758/neseruwabifi-tabamapimeto-vunez-mubamorudak.pdf
    • http://www.tree-care.net/uploads/1/3/0/3/130323554/wijemafegupavixek.pdf
    • http://knightsandogres.com/uploads/1/3/0/6/130604351/mawakodijiter.pdf
    • http://imaginaryadventures.me/uploads/1/3/0/6/130621330/7132534.pdf
    • http://www.ctxtravel.com/uploads/1/3/0/7/130776609/6243221.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e56e.bin
90f5464539f2658e2d07d2f707122197fcda89251bd813fe47510a132f1d7fa8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE56E 9100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.