PDF malware analysis — malicious · 2b778fda3e51b9ba

MALICIOUS

PDF

42.8 KB Created: 2020-03-14 16:58:15 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 18a2da29b2660eec732d2809247ce3a9 SHA-1: ff88993db5a33f49199a607975d1363bd3f62a6c SHA-256: 2b778fda3e51b9ba6b69356635cfb749f2a39368744bc763c9abb998b3b39a6c

72 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure for 'Medscape free for windows 10' and embeds a large number of external links, many pointing to PDF files. The primary heuristic indicates a PDF link farm designed for SEO, suggesting a malicious distribution method. The document body, though partially corrupted, contains references to the lure and multiple URLs, including http://cpanel.jennifermannauthor.com/uploads/1/3/0/6/130604114/130604114.html#medscape+free++for+windows+10, which likely serves as the initial landing page for the attack.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://cpanel.jennifermannauthor.com/uploads/1/3/0/6/130604114/130604114.html#medscape+free++for+windows+10
- http://asstails.com/uploads/1/3/0/6/130604449/12805a98a.pdf
- http://rentalsandroomates.net/uploads/1/3/0/6/130605229/risibem.pdf
- http://www.bestilljill.com/uploads/1/3/0/4/130476506/7fe8a.pdf
- http://eefmvz.net/uploads/1/3/1/0/131071299/8401029.pdf
- http://towcincinnati.com/uploads/1/3/1/1/131164081/vovivopizidu.pdf
- http://mail.insuracon.com/uploads/1/3/0/6/130603676/4773534.pdf
- http://www.louiseashcroft.org/uploads/1/3/0/6/130620952/fd70204.pdf
- http://creaencantos.com/uploads/1/3/0/5/130539109/lapegofewo.pdf
- http://beavercreekbaptistchurch.com/uploads/1/3/0/7/130776252/5668660.pdf
- http://mail.greenivyschools.org/uploads/1/3/0/8/130814042/ea473c7ad8e6.pdf
- http://www.dkpaintingtexas.com/uploads/1/3/0/6/130604951/fagabu.pdf
- http://bartbenson.com/uploads/1/3/0/5/130590143/8643213.pdf
- http://burritobrothersme.com/uploads/1/3/0/5/130588973/koxoveg_jimufibuwoze_sulagukat.pdf
- http://www.dbjones-author.com/uploads/1/3/0/5/130589345/4f3466d0218f.pdf
- http://agnoble.com/uploads/1/3/0/5/130588872/517370.pdf
- http://carolynsandstrom.com/uploads/1/3/0/4/130476204/nupiv.pdf
- http://www.suzannedreher.com/uploads/1/3/0/5/130588573/427d2a04e80eb2.pdf
- http://postmoderneskimo.com/uploads/1/3/0/5/130588962/jogujizisuxumubefe.pdf
- http://vivygirl-designs.com/uploads/1/3/0/6/130605084/6889052.pdf
- http://zemanedopovao.com/uploads/1/3/0/6/130639685/bulimanosidi.pdf
- http://www.4x4rockyroads.com/uploads/1/3/0/8/130874023/puxejinozikagux-nebebor.pdf
- http://youngathletesports.physio/uploads/1/3/0/8/130814088/0a3bfeb51.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007d43.bin` `f9de8a8f6a6016ed40c5d8db9bfac432184c5b4247e201cffab677674ff683f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7D43	8364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.