Malicious PDF — malware analysis report

Static analysis result for SHA-256 2be1556a8927d7dc…

MALICIOUS

PDF

41.5 KB Created: 2020-04-07 07:26:44 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 062c72afaabafbd8c5f2ea1c217801f5 SHA-1: b3cf68b8e7192378228d5293123ad4a2eeeff727 SHA-256: 2be1556a8927d7dce061a805dc01a138397a44553408f7018d80469c3980a72e
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO poisoning or to direct users to malicious content. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior. While no scripts were extracted, the presence of numerous links suggests a phishing or redirection attempt. The document body contains urgency language, further supporting a lure-based attack pattern.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://exclusivecarenursing.com/uploads/1/3/0/6/130604701/130604701.html#dell+optiplex+7010+memory+type
    • http://bensterpropertiesllc.com/uploads/1/3/0/5/130590162/gumaliwur-zijuxivuponap-gitutovamosadiv.pdf
    • http://logansparksproductions.com/uploads/1/3/0/5/130588718/zugoxike-gujetugat-tijizofo-netuvobipepal.pdf
    • http://studioprojektpolska.pl/uploads/1/3/0/7/130740338/7170951.pdf
    • http://dardars.com/uploads/1/3/0/2/130272070/cd9e246ecd39e86.pdf
    • http://launchonlinepro.com/uploads/1/3/0/5/130544953/6050195.pdf
    • http://devastating-designs.com/uploads/1/3/0/7/130776779/komameledagedisuxe.pdf
    • http://diracommunity.com/uploads/1/3/0/6/130605028/551480.pdf
    • http://konathefrenchie.com/uploads/1/3/0/9/130969942/c3fd40f839.pdf
    • http://crazydogcoffee.com/uploads/1/3/0/6/130604110/depanunexunazup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006383.bin
aca18fe624b146e911c2e75b4325580a484386a846ce45507a813e969e954f9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6383 8584 bytes
font_01_sfnt_off00008469.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8469 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.