Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b22d2663360a352…

MALICIOUS

PDF

58.0 KB Created: 2020-03-24 09:56:09 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 05729db2397569de9f200d5abef8794e SHA-1: 2e1c41a83d6e8e8d0fe5f03723297abe18f95e8b SHA-256: 3b22d2663360a35299ed51658246502a6a455a76e3d40585edc92fbb63cf5869
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing lure. The presence of a 'download button' heuristic further suggests an attempt to trick the user into clicking a link, likely to download a malicious payload or visit a phishing site. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beaverdamchurchonline.org/uploads/1/3/0/2/130291640/130291640.html#lecture+theatre+design+standards
    • http://www.hungry-for-healing.com/uploads/1/3/0/3/130379051/594790.pdf
    • http://fuerzaypoder.org/uploads/1/3/0/9/130969298/9837594faa7a.pdf
    • http://coinpare.com/uploads/1/3/0/7/130739873/sasatagidat.pdf
    • http://band-ems.org/uploads/1/3/0/7/130775104/lugew_lubem.pdf
    • http://dewise.net/uploads/1/3/0/8/130874261/mibofoto.pdf
    • http://soselectrical.co.nz/uploads/1/3/0/5/130545011/nunizixowudufomejuz.pdf
    • http://www.uartsdesign.com/uploads/1/3/0/7/130776035/44efbdcdde5f.pdf
    • http://smart-touchscreen.com/uploads/1/3/0/6/130639476/6c16f.pdf
    • http://detroitsloveguru.org/uploads/1/3/0/5/130588150/3162500.pdf
    • http://cleaningstgeorge.com/uploads/1/3/0/7/130776677/tavemikeduger.pdf
    • http://alohawraps.co/uploads/1/3/0/4/130475921/5258883.pdf
    • http://beckervetclinic.com/uploads/1/3/0/6/130620176/pijawunosinebirajuvu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b15e.bin
a7ff9fc2032805490e68b51757e687aa7bc52c8c67ce48c71030fd9e9774c685		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB15E 8236 bytes
font_01_sfnt_off0000d0fc.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0FC 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.