Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d6baddd2e45efdc…

MALICIOUS

PDF

37.4 KB Created: 2020-06-12 02:40:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 203a8f6e5f1e0a354ba264d38c1dff3d SHA-1: bd2e578e3680afaa397cf0923159e85981691180 SHA-256: 3d6baddd2e45efdc0d6bc05c8b61e765a966b69367015b85e4cac540193b4b21
72 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to similarly structured URLs on different domains, suggesting a link farm or SEO poisoning tactic. The document body, though heavily obfuscated, contains URLs that appear to be part of this link farm. The presence of a 'download button' heuristic further supports the idea that the document is intended to trick users into clicking links that lead to malicious downloads.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sta-66-99-58-220.ladse.org/uploads/1/3/1/3/131384098/131384098.html#english+vocabulary+pdf+free+download
    • http://awbce.org.au/uploads/1/3/1/4/131406386/xebiguvovokos.pdf
    • http://newgradmsw.com/uploads/1/3/0/7/130776611/vezepobi.pdf
    • http://stillnowork.com/uploads/1/3/0/4/130490451/2284042.pdf
    • http://carpetcleaningsv.com/uploads/1/3/0/6/130620224/64a609bcae38.pdf
    • http://rouletteinvestor.com/uploads/1/3/0/9/130969329/xenag-sipapufadaza-puzobam.pdf
    • http://chris-thayer.com/uploads/1/3/0/4/130436122/8bd3392ac8.pdf
    • http://rachelcrafts.net/uploads/1/3/1/4/131453222/tijul.pdf
    • http://mhtechmanufacturing.com/uploads/1/3/0/6/130639140/9177281.pdf
    • http://liviagh.com/uploads/1/3/0/2/130289355/dupex-nebasate.pdf
    • https://poxaxesap.files.wordpress.com/2020/06/nurafejawiloperovosir.pdf
    • https://kozujatuvi.files.wordpress.com/2020/06/30158642753.pdf
    • https://pujobat.files.wordpress.com/2020/06/55251739973.pdf
    • https://gujobuzagam594322867.files.wordpress.com/2020/06/63545444253.pdf
    • https://jogevedujip.files.wordpress.com/2020/06/95204793113.pdf
    • https://pidinapi.files.wordpress.com/2020/06/85702320974.pdf
    • https://xizisorizev.files.wordpress.com/2020/06/zolud.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000668f.bin
a45b5a93ab1982f1312fe18f65d01b72cf00ca70b208270b5df2c136f732b4cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x668F 10300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.