Malicious PDF — malware analysis report

Static analysis result for SHA-256 463fe8091245dec5…

MALICIOUS

PDF

20.9 KB Created: 2020-04-01 14:25:17 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 91759fd3d893403c5337ea78a5262302 SHA-1: f2a11e080b3e57673710f5c61d0eccacc960aa3f SHA-256: 463fe8091245dec53d774c8217b3c9574497dae86bc59659ca8dfa3314079f39
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF document is identified as an image-only lure, typical of phishing campaigns. It contains numerous external links, with the primary one being http://your3leggedstool.com/uploads/1/3/1/3/131380021/131380021.html#thermostat+for+suburban+rv+furnace. This suggests the document's purpose is to redirect the user to a malicious site, likely for credential harvesting or further malware delivery. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 20 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://your3leggedstool.com/uploads/1/3/1/3/131380021/131380021.html#thermostat+for+suburban+rv+furnace
    • http://jerryovadia.com/uploads/1/3/0/6/130604687/vanigedalu.pdf
    • http://beyourbe.com/uploads/1/3/1/3/131384777/22b57a3075eb8.pdf
    • http://ronedel.com/uploads/1/3/1/4/131409264/sasafoluwapotebuw.pdf
    • http://secretgourmetpicnic.com/uploads/1/3/0/6/130639343/zubusido.pdf
    • http://mhrinvestments.com/uploads/1/3/0/7/130739552/3284302.pdf
    • http://quiltedapronboutique.shop/uploads/1/3/0/9/130969917/3930858.pdf
    • http://spirithealingfacials.com/uploads/1/3/1/3/131384166/ziwurinupi.pdf
    • http://rachelcarusobryant.com/uploads/1/3/1/0/131071220/f72d6d28b.pdf
    • http://smdjoiners.com/uploads/1/3/1/4/131452939/e1e3e271dec8.pdf
    • http://fhouse250.com/uploads/1/3/0/4/130479389/3136367.pdf
    • http://alaskaprostartinvitational.com/uploads/1/3/0/6/130639673/1286853.pdf
    • http://skadooshdance.com/uploads/1/3/0/5/130539229/fbf2e99460a2b.pdf
    • http://bigeats.us/uploads/1/3/0/6/130639138/xasaboretos-saxomabe-zunaxolokunuwew-soxapozagises.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.