Malicious PDF — malware analysis report

Static analysis result for SHA-256 310fb57b98f2c0f6…

MALICIOUS

PDF

47.3 KB Created: 2020-06-03 01:31:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 38350d055e461ae88743fbfd3bb57d8c SHA-1: 87d7b5e6f16719e82ed08da368fd00d8f24adf8b SHA-256: 310fb57b98f2c0f65c87e4923583b812de29b84a780379d64b103d70e7be946d
202 Risk Score

Malware Insights

MITRE ATT&CK
T1539 Steal Application Data T1056.001 Input Capture: Keylogging T1566.001 Phishing: Spearphishing Attachment T1071.001 Web Protocols: HTTP

The PDF document contains numerous links to external websites, indicative of a link farm, with a specific lure related to 'two-factor authentication google'. The heuristics indicate this is a credential harvesting lure, specifically requesting recovery secrets or MFA confirmation. The document's content and heuristic firings strongly suggest a phishing attack aimed at stealing sensitive user information.

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nextgenmedia.info/uploads/1/3/0/7/130775269/130775269.html#two-+factor+authentication+google
    • http://jjwholesellresell.com/uploads/1/3/0/8/130873840/tumixuteketilebib.pdf
    • http://rcarrlaw.com/uploads/1/3/0/3/130379435/1f02e817.pdf
    • http://positively-jewish.com/uploads/1/3/0/6/130621709/c8bba3735d897a.pdf
    • http://symphonyno1.com/uploads/1/3/0/4/130476885/4715109.pdf
    • http://hillsidelagunabeach.com/uploads/1/3/1/4/131406649/kikibizinokawoj.pdf
    • http://mattcottenstudios.com/uploads/1/3/0/7/130738939/9230719.pdf
    • http://nextgenmedia.info/uploads/1/3/0/7/130775269/terms.html
    • http://nextgenmedia.info/uploads/1/3/0/7/130775269/dmca.html
    • http://nextgenmedia.info/uploads/1/3/0/7/130775269/policy.html
    • https://riguwig.files.wordpress.com/2020/06/xamujodovelexulegew.pdf
    • https://pifiruvar.files.wordpress.com/2020/05/91224403372.pdf
    • https://dimimumuvev.files.wordpress.com/2020/05/12973498121.pdf
    • https://sobokufiju.files.wordpress.com/2020/05/wixebumemepesowabafu.pdf
    • https://wizaliz58549216.files.wordpress.com/2020/06/52930896368.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008c69.bin
48c0851daaf916fb9db432fb50e5a3c476c5cb3d34e885c669daba70e7dcd22b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C69 10916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.