PDF malware analysis — malicious · 23c139a217d90a14

MALICIOUS

PDF

43.0 KB Created: 2020-04-11 04:54:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: e4b16481693dc128f3a09869ba0f8c1c SHA-1: eae0d5afa3622a7da185343fce677ba20fb0a5cc SHA-256: 23c139a217d90a14de5371cf9c1fadabea8bd4f55813df894021c5ad07f43e9c

112 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF document employs a social engineering tactic by impersonating a Minecraft Forge download, but its primary function appears to be a link farm. The 'SE_CLICKFIX' heuristic indicates the document likely instructs the user to execute a command, potentially to bypass macro restrictions and download further malicious content. The numerous external PDF links, identified by 'PDF_SEO_LINK_FARM', suggest a coordinated effort to distribute malicious files or manipulate search engine results.

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClickFix social engineering attack high SE_CLICKFIX

Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://thehnossaproject.com/uploads/1/3/1/3/131383624/131383624.html#minecraft+forge+14.23.5.2772+applica
- http://cashmannutrition.com/uploads/1/3/0/6/130620633/pejozebapi-kiwamamitirux-juzonemeloli.pdf
- http://tagmintz.com/uploads/1/3/0/6/130604952/judulak.pdf
- http://mirandamcasting.com/uploads/1/3/1/4/131437513/95e5031a43cfb9.pdf
- http://simplicitysold.com/uploads/1/3/0/2/130287896/vuxipuwibogixiz_xumebamosa_xibogiraxe.pdf
- http://hscpdhpesportsmed.com/uploads/1/3/0/5/130539130/c1302470067e.pdf
- http://instantcelebritymaker.com/uploads/1/3/1/4/131482919/b1898.pdf
- http://dbarts.org/uploads/1/3/0/7/130775435/0892fae14.pdf
- http://wingwarehouseohio.com/uploads/1/3/0/4/130488087/9075464.pdf
- http://the-big-one.org/uploads/1/3/1/4/131438044/725488d4.pdf
- http://ranoscreations.com/uploads/1/3/1/3/131379189/puropewesujoriloz.pdf
- http://jardindeden.net/uploads/1/3/0/4/130476068/1714698.pdf
- http://sparkcommunity.online/uploads/1/3/1/4/131407763/6669227.pdf
- http://basinsresearchgroup.com/uploads/1/3/0/6/130621284/31d0608f.pdf
- http://tobegenz.com/uploads/1/3/1/3/131381045/zurijixik.pdf
- http://jump4joynh.com/uploads/1/3/0/5/130589219/laxali.pdf
- http://instantcelebritymaker.com/uploads/1/3/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006aa5.bin` `0fe418fa37145dc5a20482c97e072325821ec62c72c736db1f7cfff245d8abf5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6AA5	8212 bytes
`font_01_sfnt_off00008a60.bin` `81df44247aa6368ee4f5613fd77267ee6cd66bd9e993d06b683ce941502b9c33`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8A60	16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.