Malicious PDF — malware analysis report

Static analysis result for SHA-256 301061398c88e4be…

MALICIOUS

PDF

36.6 KB Created: 2020-05-13 06:42:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 01a6d332cc77161fcc6ed01eb804e638 SHA-1: 2ae07535bb09d96670ca61a4095c38594a2d731c SHA-256: 301061398c88e4beac19a5a2a94717f710a2aa1ba39de8149acf98c6a1e10fb6
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to similarly structured URLs on different domains, suggesting a link farm or SEO abuse tactic. Crucially, the document explicitly instructs the user to copy and paste content into a command-line interface, a common lure for executing malicious commands. No scripts were extracted, but the combination of the link farm and the command execution lure strongly indicates a social engineering attack designed to facilitate the download and execution of a secondary payload.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://curtisjrdesigns.com/uploads/1/3/0/5/130551187/130551187.html#power+bi+template+for+sccm
    • http://mhcustomhomes.com/uploads/1/3/0/6/130620603/tiwofunowutotut_mabijewop_duwenu.pdf
    • http://bellairetreeservice.com/uploads/1/3/1/8/131871951/nomigow-tinerad-livotexigezix.pdf
    • http://deitzlandsurveying.com/uploads/1/3/0/3/130379060/c418bb28ea3.pdf
    • http://starcraftpontoonboats.ca/uploads/1/3/1/6/131636862/tizanetudimadez.pdf
    • http://princess-bowtique.com/uploads/1/3/1/4/131453924/f9988269d0b1.pdf
    • http://dansvorcan.com/uploads/1/3/0/6/130620865/55343cc589c.pdf
    • http://bairddesign.com/uploads/1/3/0/3/130323592/9863512.pdf
    • http://grandview-designs.com/uploads/1/3/1/6/131606234/tipitifomudo.pdf
    • http://storeorg.com/uploads/1/3/1/4/131437383/pukitavupifi-muxabe-jazafuxinobo-lolino.pdf
    • http://vakantiehuisfrankrijk.nu/uploads/1/3/1/8/131871799/niwofovewip.pdf
    • http://mikeswaterworks.com/uploads/1/3/0/4/130476327/gepuvalikamuwojotuke.pdf
    • http://laclinicadellavoro.com/uploads/1/3/0/6/130621496/454970.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000626f.bin
63111cd937b070acb11d3cf12cca28dfa01ee4c064f4612a2780e5cce48e8f78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x626F 10392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.