Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d03a9e0a5f40dd3…

MALICIOUS

PDF

37.0 KB Created: 2020-05-17 12:38:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8da26a9ccea04b4af71873f6a58f39f5 SHA-1: 0018f12a924f1a3e5bd8db01fab4059bd4a82c90 SHA-256: 3d03a9e0a5f40dd3421a4f18adde5470c71b9ee2ec6e72c68a17c8ae08a062a7
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded links to external resources, masquerading as a rent lease agreement. The PDF_SEO_LINK_FARM heuristic indicates a large number of these links, suggesting a link farm or SEO poisoning tactic. The presence of a visual download button lure further supports the malicious intent of directing users to potentially harmful content. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://4gen4.org/uploads/1/3/1/4/131409148/131409148.html#rent+lease+agreement+format+in+tamil
    • http://xtrnz.com/uploads/1/3/0/4/130476607/jutugekadekapamavopi.pdf
    • http://sparqkennel.com/uploads/1/3/0/2/130272072/6626669.pdf
    • http://spiessbuilding.com/uploads/1/3/0/6/130605374/ziduzu.pdf
    • http://bcpminc.com/uploads/1/3/0/7/130776169/bogezovawewi.pdf
    • http://apexninjutsu.net/uploads/1/3/0/2/130271045/vutajavage.pdf
    • http://treasurecoastprimeproperties.com/uploads/1/3/1/3/131380754/kexokedeparo.pdf
    • http://crescentrocks.org/uploads/1/3/1/8/131871605/0879fe699.pdf
    • http://challengedhouses.com/uploads/1/3/0/7/130776727/vepupumojupo_xugilera.pdf
    • http://ltcsoftball.org/uploads/1/3/1/6/131606260/25ca9166c.pdf
    • http://insideoutwellnessgm.com/uploads/1/3/1/4/131406578/1978790.pdf
    • http://usajuniorbasketball.com/uploads/1/3/0/9/130969603/vixezezajika.pdf
    • http://maggieakins.com/uploads/1/3/1/0/131070645/8959767.pdf
    • http://superwojo.com/uploads/1/3/0/5/130539419/bavopovukubatel-dajorit-zifilevosef-lotosonur.pdf
    • http://deeplyloved.org/uploads/1/3/0/7/130775768/rivumekorubevoguso.pdf
    • http://bwuethrich.com/uploads/1/3/1/4/131407111/vusugelel-xofademepuwas-rafeperuwineg-motemunimef.pdf
    • http://primeeliteteam.com/uploads/1/3/0/4/130435884/sixemasagizit_fulatopemuso_zufarig_sigujaje.pdf
    • http://simplyamazingcopy.com/uploads/1/3/1/8/131856543/rezazateda.pdf
    • http://bboom.space/uploads/1/3/0/8/130873952/kemet.pdf
    • http://allfireduppizza.net/uploads/1/3/0/6/130621666/fezitivibirejasedal.pdf
    • http://utilitycarsunlimited.com/uploads/1/3/0/8/130873875/9767841.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065d9.bin
fbeb3590ed75fc6d3286e679fd5634f390ee836644c69973b9806f0f21d36431		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65D9 10036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.