Malicious PDF — malware analysis report

Static analysis result for SHA-256 482b2b58a2298fd6…

MALICIOUS

PDF

28.7 KB Created: 2020-04-01 15:12:10 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3beaa1e950773a5298e7540b3f84916f SHA-1: b8d4296bb64ad658976562266116ca7d05dd1d1e SHA-256: 482b2b58a2298fd68d209db0b9d9ce731450d1073da87f360c9ef59719c60fce
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF file is identified as a screenshot lure, containing a single image and minimal text, designed to trick users into clicking embedded links. The document body contains multiple URLs, including one that appears to be the primary lure, pointing to external PDF files. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of these external links, suggesting a campaign to distribute content or redirect users to malicious sites. The primary lure URL is http://emotioncodetherapy.com/uploads/1/3/0/6/130604650/130604650.html#indice+de+competitividad+global+mexico+2018.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 28 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://emotioncodetherapy.com/uploads/1/3/0/6/130604650/130604650.html#indice+de+competitividad+global+mexico+2018
    • http://guaranteedfinancialaid.com/uploads/1/3/0/7/130776114/nerasuga_mabixibogexebuj_mokamibumudi.pdf
    • http://ramseyhistoricconsultants.com/uploads/1/3/0/7/130775808/palakotaz.pdf
    • http://hopewardbound.org/uploads/1/3/1/0/131071035/4120173.pdf
    • http://roofingbakers.com/uploads/1/3/0/5/130544318/3619085.pdf
    • http://myliw.com/uploads/1/3/0/2/130288318/rekaregomewaw.pdf
    • http://airpetsrelocation.com/uploads/1/3/0/6/130639489/4071613.pdf
    • http://bay-point-church.com/uploads/1/3/1/3/131383743/busetemijas.pdf
    • http://gab-archive.org/uploads/1/3/0/8/130874283/gaderesegonaxebew.pdf
    • http://brilliantbrightsmiles.com/uploads/1/3/0/5/130544321/2546309.pdf
    • http://xclusiv.com/uploads/1/3/0/5/130588830/8b0434411022272.pdf
    • http://234360060668842261.com/uploads/1/3/0/2/130287835/6e729.pdf
    • http://angelasoffice.com/uploads/1/3/0/5/130550657/7bbe421fda.pdf
    • http://sustainablelivingmagazine.ca/uploads/1/3/1/3/131384708/pifefibafu.pdf
    • http://8200doral.com/uploads/1/3/0/5/130539085/vapobaf.pdf
    • http://myeagerlaw.com/uploads/1/3/0/5/130551576/fe379ba90a0374e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f6a.bin
d7282fb4d3e4b2b369cddcfce523d85a66797da6b261f451e0e9f55bf222303b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F6A 4852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.