Malicious PDF — malware analysis report

Static analysis result for SHA-256 24d71bde4797d174…

MALICIOUS

PDF

34.4 KB Created: 2020-05-18 09:16:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46c7c85b847691a61a6644118bb2c803 SHA-1: ab6093661743ce64812bb067af596ec0bc4cadc8 SHA-256: 24d71bde4797d1740700909690ef4010a196c0c68cddc2d92eed0804f3965665
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The document contains numerous embedded URLs, many of which are structured as SEO link farms, pointing to PDF files. One specific URL, 'http://chewoncakes.com/uploads/1/3/1/4/131407683/131407683.html#paypal+phishing+email+report', directly indicates a PayPal phishing lure. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests a common tactic where a password-protected archive is mentioned, often to bypass gateway scanning. The 'SE_CALLBACK_LURE' heuristic further supports a phishing or scam pretext by indicating a phone number prompt. The presence of these elements strongly suggests a phishing attack aimed at credential harvesting.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chewoncakes.com/uploads/1/3/1/4/131407683/131407683.html#paypal+phishing+email+report
    • http://efcoform.com/uploads/1/3/0/7/130740530/tetesobarukeg_fapulit.pdf
    • http://tresmariasatelie.com/uploads/1/3/0/9/130969462/motajefazidi-juwak-xamusojisiz.pdf
    • http://pattyconnellyphotography.com/uploads/1/3/0/3/130313107/64566.pdf
    • http://chasingpossibilit.org/uploads/1/3/0/6/130604456/cec4ffd76.pdf
    • http://providence-title.com/uploads/1/3/0/6/130639275/2d6fadee9c0f4f.pdf
    • http://rewireyourhealth.com/uploads/1/3/0/5/130539241/fidavu-wutipafugib-josudexumo-jadivob.pdf
    • http://dykewhistle.com/uploads/1/3/0/7/130776206/28f058d.pdf
    • http://vanilla-green.com/uploads/1/3/0/5/130545885/2213739.pdf
    • http://kencking.com/uploads/1/3/0/9/130968961/disubumofine_nofoguj_weniv.pdf
    • http://janitorialservicesnwa.com/uploads/1/3/0/7/130775639/1950549.pdf
    • http://burnmymoney.app/uploads/1/3/1/1/131164038/dogazibuwigizezoge.pdf
    • http://pflagnorwalk.com/uploads/1/3/0/6/130621061/341938.pdf
    • http://arnoldwellness.com/uploads/1/3/1/4/131406263/vubix_setowofovanuzix_lezajexu.pdf
    • http://littlemissrunner.com/uploads/1/3/0/2/130273576/dogus.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ad1.bin
1ae29fcb02c54acbe39e81db80d313044f99aaab603dd01f1aee2bacfb987705		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AD1 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.