Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fadd0291b585657…

MALICIOUS

PDF

119.8 KB Created: 2020-04-29 10:48:10 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 378749f6316d0c467fb0fdc889205b72 SHA-1: 3824f47b65273f2d3c427bbb79a72bead59a6306 SHA-256: 1fadd0291b585657712429b2acd389c76cf14357e48eaf8f0c3c6b5b36122e74
122 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link T1534 Credentials from Password Stores

The PDF file contains a mass of external links, many of which are structured as SEO-friendly numeric slugs, indicating a link farm. The heuristic 'SE_SECRET_RECOVERY_LURE' strongly suggests the document's content is designed to trick users into revealing sensitive information like private keys or backup codes. The embedded URLs likely lead to further malicious content or phishing pages.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://atelierjademyr.ca/uploads/1/3/1/0/131070827/131070827.html#consul+template+environment+variables
    • http://chardesair.art/uploads/1/3/0/4/130488096/5668397.pdf
    • http://clermontbasketball.com/uploads/1/3/0/6/130639745/3577232.pdf
    • http://the-personalised.com/uploads/1/3/0/6/130605259/bukuvazoderim.pdf
    • http://cannapendium.com/uploads/1/3/0/2/130289288/2320103.pdf
    • http://healingcrystalwirewrapping.com/uploads/1/3/1/0/131070523/29ff49e.pdf
    • http://frititi.com/uploads/1/3/0/7/130738568/8617474.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001affe.bin
4399c8c2581daa8b5a41859814a8af5c2a6a87cafb3ad971c910ec44b8c0f1d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AFFE 9080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.