Malicious PDF — malware analysis report

Static analysis result for SHA-256 201bb9f1aa7833f0…

MALICIOUS

PDF

41.7 KB Created: 2020-04-06 14:28:16 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ca1956cdcaac5ace8d8faa17ce927482 SHA-1: d1b29aee405b5e3151f0300b292f56dfdd4e67b3 SHA-256: 201bb9f1aa7833f07db7800f4cf391de4e5809e2efdf828475e88f7d66cdbf0d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a significant number of external links, many of which point to other PDF files hosted on similar domains. This pattern is indicative of a link farm or SEO manipulation tactic, potentially used to distribute malicious content or to obscure the true origin of a phishing attack. The heuristic 'SE_PAYMENT_REDIRECT_LURE' suggests a business email compromise context, where users might be tricked into changing payment details.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wordsmith-sg.com/uploads/1/3/1/3/131398008/131398008.html#objetos+por+la+letra+y+en+ingles
    • http://bridgesports.club/uploads/1/3/1/3/131380786/savowawakij.pdf
    • http://maverbrick.com/uploads/1/3/0/9/130969942/motixegigexitamam.pdf
    • http://doublehaulmt.com/uploads/1/3/0/3/130323355/4200988.pdf
    • http://millerconstructionconcepts.com/uploads/1/3/1/1/131164295/e208679133a.pdf
    • http://nadnat.com/uploads/1/3/0/5/130588744/7f30b81214a3.pdf
    • http://thewindingsheetoutfit.org/uploads/1/3/0/2/130287547/punajokuxadaxok.pdf
    • http://gmsdezigns.org/uploads/1/3/0/8/130874668/lufububuj-sigitefoma-tetife.pdf
    • http://theinkbeautybar.com/uploads/1/3/0/9/130968995/zefuzegazupowawux.pdf
    • http://zsofiaforro.com/uploads/1/3/0/7/130775951/xabebotipariputob.pdf
    • http://mielikkishots.com/uploads/1/3/1/3/131398542/524b9b3b.pdf
    • http://commondefenseproject.com/uploads/1/3/1/1/131163969/3570547.pdf
    • http://cheshirelanepress.com/uploads/1/3/0/7/130740129/1c0a2fcdfd5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077fb.bin
3f4a0381bb20657c10208c649a1b51149de0a5150f372c1d1bf13326e528edde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77FB 8892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.