Malicious PDF — malware analysis report

Static analysis result for SHA-256 2daf328922324227…

MALICIOUS

PDF

34.5 KB Created: 2020-04-22 04:59:07 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4f5080d58c3ba21cd71aa86ccab49a9f SHA-1: 8aaef267f8a7324d2f8d211311883d4bdc200d2e SHA-256: 2daf3289223242270af0be0da639e3a017d2e51bfd294f2dd94313457aa9d95c
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link farm with numerous external PDF links, a common technique for SEO poisoning and distributing malicious content. The heuristic 'SE_INVOICE_LURE' suggests the document's content is designed to trick the user into clicking the links, likely by impersonating an invoice or payment notification. The primary link points to a calendar template, which is likely a lure to download another malicious PDF.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://compassion-for-kids.org/uploads/1/3/0/7/130776002/130776002.html#vertex42+calendar+template
    • http://patrickgoldstein.com/uploads/1/3/0/5/130543366/4212371.pdf
    • http://derbyshirealcoholadvice.com/uploads/1/3/0/6/130604273/2896695.pdf
    • http://peninsulapopsconcerts.org/uploads/1/3/1/3/131380429/nepimodulez_levaninowe.pdf
    • http://emmaelliottraditional.com/uploads/1/3/0/5/130546333/5745755.pdf
    • http://medievalnow.com/uploads/1/3/0/5/130539849/aa04321.pdf
    • http://wonderfulrooms.london/uploads/1/3/1/6/131606284/6715586.pdf
    • http://h2blove.com/uploads/1/3/0/8/130813923/2326944.pdf
    • http://tmgbusinesssolutions.com/uploads/1/3/0/5/130589412/1d42cd26c1f6a.pdf
    • http://imigrationlawyerlongisland.com/uploads/1/3/0/7/130739470/3601253.pdf
    • http://prosphatos.com/uploads/1/3/0/5/130546742/b1f13d8c3e52.pdf
    • http://headelitefl.com/uploads/1/3/0/6/130604928/kifafudidob.pdf
    • http://peterfleischertv.com/uploads/1/3/0/4/130483238/7d4c6367.pdf
    • http://denovolifetherapy.com/uploads/1/3/0/7/130776279/3771638.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006358.bin
c18ebbe19d1c7a0a1d8d34284ea9952f0b76a7df9b33870ea8d2141f3c0f2c40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6358 8216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.