Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ce9b2fc618b1fcd…

MALICIOUS

PDF

43.3 KB Created: 2020-04-21 14:26:25 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 575fc3426ebc712915b89561e1e4d026 SHA-1: b0c07e0fa59c4ab2de202b5ea800837c2744b86f SHA-256: 2ce9b2fc618b1fcd0eb4caa8363ee706ae6d8d48850463c223dfbb31f4bcb6c3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to seemingly unrelated PDF files hosted on various domains. This behavior is indicative of a link farm or a mechanism to distribute malicious content. The document body, though partially corrupted, contains text related to a 'Datasheet of diode 1n5819', which is likely a lure to disguise the malicious intent of directing users to these external resources. No scripts were extracted, but the extensive use of external links suggests a phishing or malware distribution campaign.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://smartlivingyou.org/uploads/1/3/0/5/130541186/130541186.html#datasheet+of+diode+1n5819
    • http://reliancevolunteerinterchange.com/uploads/1/3/0/9/130969931/wituzo.pdf
    • http://crawford4chatham.com/uploads/1/3/0/5/130588865/6871129.pdf
    • http://chelseahadd.com/uploads/1/3/0/4/130483052/8833849.pdf
    • http://fortobello.com/uploads/1/3/0/7/130775108/romukoloxid-jinojasusogo.pdf
    • http://aucoingourmand.net/uploads/1/3/0/4/130435875/4898404.pdf
    • http://cesuparatsunt.com/uploads/1/3/1/3/131398372/zirinukujon_labutezeru_vetedivazufupif.pdf
    • http://mmg-associates.com/uploads/1/3/0/6/130640128/tunomu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e9a.bin
b6f3bc77693759d158b2cd554eea38d9ec4a2d900bcbd2c5c1c415c2cd6e6e30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E9A 8116 bytes
font_01_sfnt_off00007c6a.bin
c9f2766864d727e1393aa645f689f1e349cca9ca80d00af93de57b1bbf7dc8a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C6A 5532 bytes
font_02_sfnt_off00008e6f.bin
76d0edce5bdb93a691a0309c49e7369480f5d97eef5486ab960fc16df6d92a06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E6F 16384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.