Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f88caa379df0a67…

MALICIOUS

PDF

41.3 KB Created: 2020-03-14 16:30:14 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: be8a614cd4ccb3622b7a9ebd2b6f1def SHA-1: aeddb1249c5cb54a87a697d1550f6f2fa8b4ab40 SHA-256: 2f88caa379df0a67f278efa2ecfa1925a1aa71d226f9d119dbd3edabf5794806
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF document contains numerous embedded URLs, many of which are structured as a link farm. The primary URL and document body content suggest a lure for downloading software, specifically 'Autodesk sketchbook pro mod apk 2018'. The heuristic 'PDF_SEO_LINK_FARM' indicates a high volume of external links, reinforcing the malicious intent of directing users to external, potentially harmful, resources. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sacasta.voyagerwebsites.com/uploads/1/3/0/3/130323641/130323641.html#autodesk+sketchbook+pro+mod+apk+2018
    • http://lovechildcare.org/uploads/1/3/0/7/130739243/543112.pdf
    • http://wow-flower.com/uploads/1/3/0/8/130873786/ropul-guwonom.pdf
    • http://holypostdigital.com/uploads/1/3/0/5/130589429/040afb6cbf.pdf
    • http://sachsfoundationinc.com/uploads/1/3/0/6/130621134/seluritufi-wikawusizur.pdf
    • http://www.sportsmelissa.com/uploads/1/3/0/6/130620899/gevurev-fugobijez.pdf
    • http://gameofthronesofmuppets.com/uploads/1/3/0/3/130379118/patesesavox.pdf
    • http://aseguralostuyos.todorental.com/uploads/1/3/0/6/130620965/vokanu_gijunadibol_vifujegexevupi_ruxofoniwepusak.pdf
    • http://dogfacetheatricals.com/uploads/1/3/0/4/130490115/jumexoxowajisi-riruwakozimiwor-nigavovuvimavo.pdf
    • http://frnk.co/uploads/1/3/0/6/130620382/2914908.pdf
    • http://www.fentonplanthire.co.uk/uploads/1/3/0/8/130874592/laramebenames.pdf
    • http://sophiecharlottephotography.com/uploads/1/3/0/7/130774965/54389.pdf
    • http://troop115.com/uploads/1/3/0/5/130588613/82bb5f2cfdb.pdf
    • http://adammarkeckman.com/uploads/1/3/0/5/130589328/risexasuzoxabelalo.pdf
    • http://savinglivesonegoal.com/uploads/1/3/0/7/130740053/vujuxaxelifego.pdf
    • http://fretbuzz.net/uploads/1/3/0/3/130312991/83537f7e2c51.pdf
    • http://cpanel.delaneydrywall.com/uploads/1/3/0/9/130969751/rikusematoxagiz.pdf
    • http://aquafloradesign.com/uploads/1/3/0/6/130605111/961ac51c81d11a.pdf
    • http://www.kaszazzwithjuliehill.com/uploads/1/3/0/6/130621498/rovetebowi-xaguzize-jakobi.pdf
    • http://jdmservicecentre.ie/uploads/1/3/0/6/130639454/1188800.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007686.bin
7991c3bb8ce398d3bbf909c6442a7dd95b17d82575ae113b321fb7f956ffbb29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7686 8192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.