Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ddc1d5c5c242916…

MALICIOUS

PDF

39.6 KB Created: 2020-05-31 19:44:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7eba9b02bd6c78f08edaaa39f6ecce81 SHA-1: d0abb71eae3624f6720e03173c4b47e9a22d5994 SHA-256: 4ddc1d5c5c24291684a3bce9c99362475f965c2e5447d9c47d72cb52efe2f50c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, many of which point to PDF files hosted on various domains. The document body suggests a lure for downloading a film, which is a common social engineering tactic. The primary URL, http://cpanel.100percentcajun.com/uploads/1/3/0/2/130289636/130289636.html#download+film+cek+toko+sebelah+480p, directly supports this lure. The heuristic PDF_SEO_LINK_FARM indicates a large number of generated links, likely for SEO manipulation or to host various malicious payloads.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cpanel.100percentcajun.com/uploads/1/3/0/2/130289636/130289636.html#download+film+cek+toko+sebelah+480p
    • http://17q.undesirable.us/uploads/1/3/1/4/131483371/1282350.pdf
    • http://fmdotnwebsolutions.com/uploads/1/3/1/4/131438356/6761387.pdf
    • http://mohsesports.com/uploads/1/3/0/6/130639734/labaxeteparujun.pdf
    • http://hilfda.ch/uploads/1/3/0/6/130605399/7588355.pdf
    • http://professionalgardens.net/uploads/1/3/0/2/130288381/lesoxu-wawejofuroredog-vorebonosen-xafanepenefu.pdf
    • http://wmbcreditsolutions.com/uploads/1/3/0/8/130873962/4598628.pdf
    • http://strikebox.co/uploads/1/3/0/6/130621035/4426390.pdf
    • http://fauquiereyecare.net/uploads/1/3/1/6/131606569/f2c905ba5265a23.pdf
    • http://thestudentsforstudentsproject.com/uploads/1/3/1/0/131071298/861ddac8889f.pdf
    • https://puxekagoduse.files.wordpress.com/2020/05/sisifipi.pdf
    • https://xajuwujijiz.files.wordpress.com/2020/05/turapiwejawenebisupu.pdf
    • https://jomixeb.files.wordpress.com/2020/05/90367758029.pdf
    • https://kekufej.files.wordpress.com/2020/05/nalotesanaxewuw.pdf
    • https://feguwijagin.files.wordpress.com/2020/05/luxaxifix.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006200.bin
047f3f4cadc8d1bfed275dc2ab80f8ee78d633af44b26323e16289ba649f80be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6200 3720 bytes
font_01_sfnt_off00006f2c.bin
472788141f4f4672e5ff49f4dc978fca310d620ca592acf253c6567f59e282ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F2C 10464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.