Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e742c62ee855a64…

MALICIOUS

PDF

47.5 KB Created: 2020-04-25 02:09:34 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 11a28ffb2eaa79cdf9622c5dc4c84433 SHA-1: 421a84476631b62bd9ee46b5fc851e86ac3182bd SHA-256: 2e742c62ee855a64fc436029428614e99548f80a1cddbd32b4001677d4a699a8
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command Shell T1218.011 Rundll32 T1218.010 Regsvr32

This PDF document employs a social engineering lure, instructing the user to install a browser extension or update to view content. This is a common tactic to trick users into compromising their systems. The presence of multiple external links and the heuristic firing for 'SE_LOLBIN_RUN_COMMAND' suggest that the document is designed to download and execute further malicious payloads, potentially using tools like PowerShell, mshta, cmd, rundll32, or regsvr32. The document also contains a large number of external PDF links, indicating a potential link farm or distribution mechanism.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chichesterfootandankle.org/uploads/1/3/1/4/131438078/131438078.html#fight+song+piano+sheet
    • http://iammichaelwillis.com/uploads/1/3/1/4/131453637/6512732.pdf
    • http://twistwholesale.com/uploads/1/3/0/5/130539072/busorimajibenib-vebewutajezor.pdf
    • http://loveandtheriver.com/uploads/1/3/0/5/130551219/129c350e8f034.pdf
    • http://thehoebox.com/uploads/1/3/0/9/130969027/banoz.pdf
    • http://hawaiiancoconuthats.com/uploads/1/3/0/5/130550868/41011792a5f8b.pdf
    • http://globalreformasemcuritiba.com/uploads/1/3/0/5/130588480/nilan_jubuwaxen_guvetefitafiper_sowoge.pdf
    • http://bessiestarkman.com/uploads/1/3/0/9/130969235/6405828.pdf
    • http://eaoldmixon.com/uploads/1/3/0/5/130589097/9141da0e3448660.pdf
    • http://falulapeacock.com/uploads/1/3/1/3/131380899/tagamukapodeki-kapibinadajoxim.pdf
    • http://edlogics.org/uploads/1/3/0/6/130621310/zoxurodiwixov-tidud.pdf
    • http://prgisservices.com/uploads/1/3/1/3/131398250/xewik.pdf
    • http://eaoldmixon.com/uploa
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008fe2.bin
d2eaa63731448efe0a879d152fd13227bd8b0d96b04c8ac6be1c052d18e639a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FE2 9220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.