Malicious PDF — malware analysis report

Static analysis result for SHA-256 55baae158ad866df…

MALICIOUS

PDF

53.7 KB Created: 2020-04-15 00:15:10 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 064f86e2c95de2a6f2e9c9569252b12e SHA-1: 2b90c86304cf7e14894340ce3b22e5a891db5c08 SHA-256: 55baae158ad866df9d857f42bc938b918433d795893ab10777167f2acf4d9a35
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links to other PDF documents, a technique often used for SEO poisoning or to distribute further malicious content. The presence of a "download button" heuristic further supports the idea that the document is designed to trick users into clicking links. No scripts were extracted, but the link farm structure and the PDF_SEO_LINK_FARM heuristic strongly suggest a malicious intent to redirect users to potentially harmful sites.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://8128.work/uploads/1/3/0/5/130543394/130543394.html#madame+blavatsky+books+free
    • http://ctesf.org/uploads/1/3/1/3/131384613/7675007.pdf
    • http://cawestcollection.com/uploads/1/3/1/4/131407247/tepafimu.pdf
    • http://zwanzigdreizehn.com/uploads/1/3/1/4/131410736/bezolekiv.pdf
    • http://kasselllc.com/uploads/1/3/0/6/130621005/8c73d0e6aac7.pdf
    • http://erin-english.com/uploads/1/3/1/4/131437064/supetabutuvoboje.pdf
    • http://amyhahne.com/uploads/1/3/0/2/130289675/cb4a0e616afb0.pdf
    • http://meridenoildeliveries.com/uploads/1/3/0/3/130379342/5850612.pdf
    • http://kkirklandlaw.com/uploads/1/3/0/6/130621969/94459.pdf
    • http://familyurgentcares.com/uploads/1/3/0/4/130483660/tobijunepasaka-jumoxab-fegobuno.pdf
    • http://gayatrishala.com/uploads/1/3/0/6/130621397/5cfb17b9b7ef.pdf
    • http://shadowhorseprodcutionsllc.com/uploads/1/3/0/4/130488412/zivabimoxab_potuvasarapev.pdf
    • http://residentialconsultingllc.net/uploads/1/3/0/7/130776349/ff274a4d8998da.pdf
    • http://shadowhorseprodcutionsllc.com/uploads/1/3/0/4/13
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000093c0.bin
b3cf0a1bef8642448d53cddba6c3bbd7847d287d2c85b7c0ab4d3fbf25e705fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93C0 8468 bytes
font_01_sfnt_off0000b3c8.bin
0a97bde9752fdee1f3e7370c79030bd93fe90b264c0961419b1ed7afc578e67c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB3C8 16104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.