Malicious PDF — malware analysis report

Static analysis result for SHA-256 51f8f73e0a25db4b…

MALICIOUS

PDF

39.6 KB Created: 2020-04-25 13:17:46 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 2fe8a8273ea7954bd7f4bac12fa5d05e SHA-1: d79788ca773cc8341dc407478fa987960f8e5c66 SHA-256: 51f8f73e0a25db4be626a017c751adcbf4823997858430afe179df733d8fdc2e
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, a technique often used for SEO poisoning or to redirect users to malicious content. One of the primary links points to a page advertising free movies, which in turn links to a PDF file. This suggests a lure to drive traffic to a link farm, potentially for distributing malware or phishing content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wwwdaimondholiday.com/uploads/1/3/0/5/130551041/130551041.html#new+movies+free++hd+tamil
    • http://hbogarajets.com/uploads/1/3/1/4/131438259/kavum-vapuzawozak-nakux.pdf
    • http://cooking-with-kids.com/uploads/1/3/0/7/130738565/jizafenisagimev-sudiget-rojasorigin.pdf
    • http://entelisanomusic.com/uploads/1/3/0/6/130621707/204093.pdf
    • http://painters-boutique.com/uploads/1/3/0/6/130603946/pepivamovo.pdf
    • http://irelandisworldwide.com/uploads/1/3/0/3/130313454/121816.pdf
    • http://jointeamlegacy.net/uploads/1/3/0/2/130288644/7168073.pdf
    • http://mariolazarco.com/uploads/1/3/0/4/130435898/63c09061.pdf
    • http://wc-3.com/uploads/1/3/0/4/130435592/e8f70.pdf
    • http://projectunlearnandlisten.com/uploads/1/3/1/0/131070983/a6aff1f2.pdf
    • http://decentralizedcoin.org/uploads/1/3/0/5/130551015/zevalimiwi-tomiju-radatukof-vagodofovupe.pdf
    • http://kashamalyckyj.com/uploads/1/3/0/2/130272414/vugaziwik.pdf
    • http://buzz4business.com/uploads/1/3/1/0/131070652/fowefazosafi.pdf
    • http://livewell-bioscience.com/uploads/1/3/0/4/130483178/xorawifujaxumawimez.pdf
    • http://desiredcareadultfamilyhome.com/uploads/1/3/0/6/130639931/nunugibonujisa.pdf
    • http://irelandiswor
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067aa.bin
06bb6d3a5ccc00fcdf4be7853aa163a6bce6ea145757c469ca95f937bb90fdfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67AA 8280 bytes
font_01_sfnt_off000087d1.bin
54d41b2098d5b730dfe5cae5f637595b5c28c0fa6f902d2b9b0a03fac37f34be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87D1 2848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.