PDF malware analysis — malicious · 53eed8835a900007

MALICIOUS

PDF

58.6 KB Created: 2020-04-22 02:46:02 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: b26b127b5fc8ddb0c8f00331683d9fb9 SHA-1: c950abd0596eb6b15eaa869f3ba7fbf50ca35a2c SHA-256: 53eed8835a9000073d0d2b76bc6b3bf7d2337a654840ea7372cdabb2f4acc747

102 Risk Score

Malware Insights

MITRE ATT&CK

T1204.001 Malicious Link/Object: User Execution: Malicious Link T1566.002 Phishing: Spearphishing Attachment

The PDF document contains a large number of external links, many of which point to other PDF files, suggesting a link farm or SEO abuse tactic. The document also explicitly lures the user to install a browser extension or update, a common social-engineering technique. The presence of numerous unknown-reputation URLs indicates a potential distribution network for malicious content.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE

Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://geelongtreeservice.com/uploads/1/3/0/4/130489006/130489006.html#free++manager+portable
- http://4leggedwalks.com/uploads/1/3/0/2/130273762/lelusiwijiwal.pdf
- http://indigofibershed.com/uploads/1/3/0/8/130815059/tanatatitexon_fisinemoje_jasuxaroka.pdf
- http://handsolo101.com/uploads/1/3/0/6/130620455/c8c883d99d51.pdf
- http://creativecontent.app/uploads/1/3/0/6/130620370/6dbad73d.pdf
- http://rcgfunclub.club/uploads/1/3/0/7/130738914/f7ed915e391.pdf
- http://theawesomecornershop.com/uploads/1/3/0/5/130590026/tuvasadik_wirerisuniweri_dapad_rezalajobuweb.pdf
- http://buildtherelationship.com/uploads/1/3/0/5/130589302/vafetekoguzi.pdf
- http://homemadebabies.org/uploads/1/3/1/3/131383464/gonizukogureb.pdf
- http://tacwc.com/uploads/1/3/1/3/131379590/0e2669ae.pdf
- http://vinyldecorwithmelanie.com/uploads/1/3/0/7/130775867/a28d14eb4628f.pdf
- http://oopsiedaisies.com/uploads/1/3/0/8/130814652/neporok-nubewanetap.pdf
- http://wafflesmiles.net/uploads/1/3/1/4/131413222/befizod-lisekikajaxuli-biwulirosozet-gujibako.pdf
- http://stilettosandshotguns.com/uploads/1/3/0/5/130550684/rukopomowexux.pdf
- http://mamaloveprelovedpregnancybabyandbeyond.com/uploads/1/3/1/4/131438397/c71c4dc6e.pdf
- http://theawesomecornershop.com/uploads/1/3/0/5/130590026/tuvasadik_wirerisuniwer
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off00009ef8.bin` `2413a3ab5e4e513e6e41563be511a43301cb4cc4100c69a1df41772a8cfa8dd8`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x9EF8	13008 bytes
`font_00_sfnt_off00007f40.bin` `ceb7c247fe80016ffbf90280e20dc5960244140c6323c7ca523052ebce73508a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F40	8276 bytes
`font_02_sfnt_off0000c82d.bin` `bb7f3a77f7833b39fe6b0cf08265a5ad0460cb4bda91382e6c877c0db3ce514d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC82D	16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.