Malicious PDF — malware analysis report

Static analysis result for SHA-256 55ec69c5896c8daf…

MALICIOUS

PDF

37.9 KB Created: 2020-03-12 11:53:26 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 970be4f7e6be709cc3d295f0db17264c SHA-1: 82211cfc80ee763c000eb9898d2d5636452266d9 SHA-256: 55ec69c5896c8dafc3ea9335c7abae8ccec84f351416af8f985e9758ff5968f8
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1218.011 Signed Binary Proxy Execution: Rundll32 T1218.010 Signed Binary Proxy Execution: Regsvr32 T1059.003 Command and Scripting Interpreter: Windows Command Shell T1218.005 Signed Binary Proxy Execution: Mshta

The PDF contains a large number of external links, indicating a link farm or redirection to potentially malicious content. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests the document contains instructions for executing Windows command-line tools, likely to facilitate the download or execution of further payloads. No scripts were extracted, but the presence of multiple external URLs and the LOLBin execution hint points to a delivery mechanism for other malware. The document body itself is largely unreadable, but contains the title 'Ways to make paper airplanes fly farther' and the URL 'http://xingheyulechengguanwang.br3h.com/uploads/1/3/0/8/130874384/130874384.html#ways+to+make+paper+airplanes+fly+farther', suggesting a lure.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xingheyulechengguanwang.br3h.com/uploads/1/3/0/8/130874384/130874384.html#ways+to+make+paper+airplanes+fly+farther
    • http://distractedbybling.com/uploads/1/3/0/5/130543261/6f7843.pdf
    • http://kinrosscurlingtrust.org/uploads/1/3/0/7/130775050/pesofupe.pdf
    • http://grillou.fr/uploads/1/3/0/7/130776808/bef7de791b1fa.pdf
    • http://lucernecountryclubrvpark.com/uploads/1/3/0/7/130738676/e83fdd.pdf
    • http://sunshinebikehire.co.uk/uploads/1/3/0/6/130604651/3871702.pdf
    • http://mygametruckcostamesa.com/uploads/1/3/0/5/130589227/b616de98fd13bde.pdf
    • http://kylepucciamusic.com/uploads/1/3/0/4/130476821/4793676.pdf
    • http://www.stoneycreeknetwork.com/uploads/1/3/0/8/130813528/9289102.pdf
    • http://ericsoldfriends.com/uploads/1/3/0/6/130640163/2a943dc3.pdf
    • http://sarinabenn.com/uploads/1/3/0/6/130603895/e3bbb878c44dd.pdf
    • http://himagazineonline.com/uploads/1/3/0/6/130639895/5f942aed5f11192.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c57.bin
6ef794a0519b854b1a9793abfb8f0eb667d3928b39384a04b745a946cf54f03a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C57 7720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.