Malicious PDF — malware analysis report

Static analysis result for SHA-256 3af0e97c7f400e7f…

MALICIOUS

PDF

51.3 KB Created: 2020-04-10 08:31:59 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a2c1cbef81d912a806f8617071ec6c48 SHA-1: e547e3a01d3ca57d574de394b95412e19c8af852 SHA-256: 3af0e97c7f400e7f76d127d403780024a2f4894c965890340c5d16d83321fecc
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a link farm with numerous external PDF URLs, indicating a likely attempt to distribute further malicious content or host phishing pages. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests this malicious intent. No scripts were extracted, but the presence of a visual download button lure reinforces the deceptive nature of the document.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seizediem.com/uploads/1/3/0/5/130551635/130551635.html#kavalier+and+clay+part+6+summary
    • http://poochesandsmooches.org/uploads/1/3/0/2/130274017/5c19bf.pdf
    • http://julesgiftcafe.com/uploads/1/3/1/4/131453499/8244155.pdf
    • http://tonibrannan.com/uploads/1/3/0/5/130551211/katimejufuvo-muwokalosa-gisakivukop-xusixesewerada.pdf
    • http://keliciapitts.com/uploads/1/3/1/3/131379045/9364181.pdf
    • http://rgbatiment.net/uploads/1/3/0/5/130539315/c403dc.pdf
    • http://locksmiths-near-me.org/uploads/1/3/1/3/131398563/vediwimenozi-vapatu.pdf
    • http://passionfeetwineslushie.com/uploads/1/3/0/5/130590457/6423759.pdf
    • http://nasirharmon.com/uploads/1/3/1/4/131405951/818763.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009f7f.bin
5f3ba05b18842cf6b9dbf723e18693d0e981c237072802a956481fb656929698		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F7F 8748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.