Malicious PDF — malware analysis report

Static analysis result for SHA-256 21cf7a8f5d41d7dc…

MALICIOUS

PDF

44.1 KB Created: 2020-03-18 17:52:30 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 74468548e3579ca6d94ea0a26bc6f0ee SHA-1: ca427dea3e477fe24deb245214e48f8f4e5b4a44 SHA-256: 21cf7a8f5d41d7dc8344bb4d0adfa2643cf8c3d441d92ee214770b390c88c30c
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF contains embedded JavaScript and a large number of external links, characteristic of SEO poisoning or link farm attacks. The 'SE_CLICKFIX' heuristic indicates the document instructs the user to manually execute a command, likely to bypass macro restrictions and download a secondary payload. The primary URL identified is http://krei-energy.com/uploads/1/3/0/7/130738572/130738572.html. The document body itself is heavily obfuscated but contains references to the URLs.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://krei-energy.com/uploads/1/3/0/7/130738572/130738572.html#registration+code+for+sims+3+supernatural
    • http://www.leajoaccessories.com/uploads/1/3/0/6/130620649/7b61772bceb1a.pdf
    • http://ncbestsigns.com/uploads/1/3/0/4/130476248/ce03d55.pdf
    • http://spirituallyyou.life/uploads/1/3/0/2/130287505/6013687.pdf
    • http://dgias.pl/uploads/1/3/0/7/130775519/lalanoxisub-leboxafu-penowedit-navodesup.pdf
    • http://terrafarms.info/uploads/1/3/0/4/130488955/koxilowuraz.pdf
    • http://ds4all.tech/uploads/1/3/0/2/130288540/de55605532f.pdf
    • http://www.womensbusinesstasmania.com/uploads/1/3/0/3/130379777/799137943.pdf
    • http://aviationmarketingteam.com/uploads/1/3/0/6/130621525/9d55edce16d67.pdf
    • http://imgbasic.com/uploads/1/3/0/5/130539657/zowuzesalufopo.pdf
    • http://axesatmobility.com/uploads/1/3/0/5/130588550/fupaxagama_povimexaka_xogiworu.pdf
    • http://midcenturymomern.com/uploads/1/3/0/6/130639879/sofiwulalenuv_nukupowuguledow.pdf
    • http://truthcm.com/uploads/1/3/0/6/130621619/d5f232aea309.pdf
    • http://diabetesindependence.com/uploads/1/3/0/3/130324050/kubawemo.pdf
    • http://crosbyirontonmusic.org/uploads/1/3/0/2/130274088/bd4d382730e1.pdf
    • http://southeastbattery.com/uploads/1/3/0/6/130621703/tuwuderido_kugageniwobufon_naxoferifirudo.pdf
    • http://genacorpict.com/uploads/1/3/0/7/130739119/bozameve-wepulaf-kukar.pdf
    • http://714.mbbdb.chanble.com/uploads/1/3/0/7/130739582/9479775.pdf
    • http://truebloodamericans.com/uploads/1/3/0/8/130874133/ralopatemenikaselor.pdf
    • http://thenewmathclub.com/uploads/1/3/0/2/130272270/a2a48e65e.pdf
    • http://riveterservices.com/uploads/1/3/0/6/130621963/4704855.pdf
    • http://ciaopin.com/uploads/1/3/0/8/130874307/de63519d.pdf
    • http://warehousesixmusic.com/uploads/1/3/0/7/130775722/50d75759e4f17.pdf
    • http://www.integrium.co/uploads/1/3/0/7/130738644/3725128.pdf
    • http://kcmwebco.com/uploads/1/3/0/6/130639683/jixaribon.pdf
    • http://kcmwebco.com/uploads
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008174.bin
1b76095ec420f044cdbcc51c784ecc5bc422325a3884e477730ca75118d12f13		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8174 8544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.