Malicious PDF — malware analysis report

Static analysis result for SHA-256 2941e6f6bf023be7…

MALICIOUS

PDF

34.6 KB Created: 2020-06-04 08:27:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7aea8bbde27923a513392aff0acb1f40 SHA-1: fd71d54203e502b3f188052f82ca66963e7809ae SHA-256: 2941e6f6bf023be7e12225067fcdec75c74c8db380cd71f705924799e70ba7fb
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, with a significant number pointing to other PDF files hosted on various domains. This pattern is indicative of a link farm or SEO spam campaign, potentially designed to distribute malware or lead users to phishing sites. The presence of a 'download button' lure further supports the malicious intent. No scripts were extracted, limiting the analysis to the document structure and embedded links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thetrustygavelauction.net/uploads/1/3/0/7/130774970/130774970.html#todd+lammle+ccna+9th+edition+pdf
    • http://advocatefinance.net/uploads/1/3/0/4/130478057/4658290.pdf
    • http://digestivesystemkarly.com/uploads/1/3/1/1/131164577/xumeret_beleg_dategixiloz.pdf
    • http://natalyaz.com/uploads/1/3/0/7/130740166/673aea8c08.pdf
    • http://djangoleased.com/uploads/1/3/0/8/130813054/5863696.pdf
    • http://thetrustygavelauction.net/uploads/1/3/0/7/130774970/terms.html
    • http://thetrustygavelauction.net/uploads/1/3/0/7/130774970/dmca.html
    • http://thetrustygavelauction.net/uploads/1/3/0/7/130774970/policy.html
    • https://jinotazataga.files.wordpress.com/2020/06/fiwaxa.pdf
    • https://zileweke.files.wordpress.com/2020/06/tuguluvewif.pdf
    • https://tomaper.files.wordpress.com/2020/06/47057232268.pdf
    • https://siwatazukot.files.wordpress.com/2020/06/55894031656.pdf
    • https://sabaliku.files.wordpress.com/2020/06/kuzafon.pdf
    • https://mudobemazi.files.wordpress.com/2020/06/fibej.pdf
    • https://wibuvevi.files.wordpress.com/2020/06/mozavibuvuwizajulob.pdf
    • https://xozawetaset.files.wordpress.com/2020/06/nunedamulegokuki.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005aef.bin
4c8161fb5eda2ffda0a8745ebcff4c5825c87bf720e90fb4bf08d8bded74fc64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AEF 10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.