PDF malware analysis — malicious · 2d42f941ce75074e

MALICIOUS

PDF

50.5 KB Created: 2020-03-21 02:17:25 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 216e83f28d7e740afa411fdb022d7be4 SHA-1: 3852c1ee2c8f67e9d4e7d39ee3f666cf73377736 SHA-256: 2d42f941ce75074e830118e6db6bb862edccd327f03f9c45b1e537229b9362ef

112 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded URLs, forming a link farm, and is presented as a lure for an 'ios download' and potentially an advance-fee scam. The document body is heavily obfuscated but contains references to the URLs. The primary attack pattern involves directing the user to download a malicious file from one of the provided URLs.

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://marilusdesigns.com/uploads/1/3/0/7/130775762/130775762.html#2960g-24tc-l+ios+download
- http://lisajoanna.com/uploads/1/3/0/4/130476468/pijobalo.pdf
- http://darisayrealestate.com/uploads/1/3/0/6/130622092/poxoza_silulo_sabenumovakizat.pdf
- http://hostmaster.totalmarinegippsland.com.au/uploads/1/3/0/7/130739062/lipopinat.pdf
- http://gpdisigns.com/uploads/1/3/0/6/130621102/c7f0e2.pdf
- http://bellamyboutique.com/uploads/1/3/0/2/130292125/9e097ab6eb58.pdf
- http://socialcapitalprotocol.org/uploads/1/3/0/5/130544672/2316558.pdf
- http://rational-world.de/uploads/1/3/0/8/130874666/zixikudax-xuvidelesoxuz-xitogexodelobi-xofuseb.pdf
- http://ammjenoreste.com/uploads/1/3/0/4/130488098/mofaxi.pdf
- http://photog.fun/uploads/1/3/0/5/130588796/zawilagopigivasewex.pdf
- http://www.masazeaquiss.com/uploads/1/3/0/4/130476538/bematatugu_rifopelozasid_jaxozex.pdf
- http://kafenia.org/uploads/1/3/0/7/130776104/955805.pdf
- http://enduremarket.com/uploads/1/3/0/7/130740533/d59f8d3b.pdf
- http://thepro3001.com/uploads/1/3/0/7/130776223/b1ab0df0e6.pdf
- http://www.scihuntingtonbeach.davidmichaeldesigns.com/uploads/1/3/0/2/130289224/4593058.pdf
- http://thesecretstomylife.com/uploads/1/3/0/3/130379409/fufesowazijeporiz.pdf
- http://ressel.us/uploads/1/3/0/4/130488500/monekugebifa.pdf
- http://pronetworks.us/uploads/1/3/0/5/130550824/velatinotagum.pdf
- http://fighttheprejudice.com/uploads/1/3/0/8/130813654/807010.pdf
- http://snookathletics.com/uploads/1/3/0/8/130874566/00160509e0981.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000098a8.bin` `45e83b7d38c9c9a06fe4ba09137089557d422d94cd66eecda0219730dfdda814`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x98A8	9416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.