Malicious PDF — malware analysis report

Static analysis result for SHA-256 568b2796ee68ebbe…

MALICIOUS

PDF

55.4 KB Created: 2020-04-13 22:00:55 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ed9739d7d628f0129584e542b3bfab32 SHA-1: cdf6b83d3741f673b5ec1c4abd9f4d789e0a3aec SHA-256: 568b2796ee68ebbe0e2138ed6118c560e434425608ecd9a8c27e0749971ea25f
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass of external links, many of which are numerically slugged and hosted on various domains, indicating a link farm or SEO abuse tactic. The document body, though heavily obfuscated, contains text suggesting it is a "Pandoc markdown cheat sheet" and mentions a "download button", which aligns with the PDF_SEO_LINK_FARM and SE_DOWNLOAD_BUTTON heuristics. The primary intent appears to be to lure users into clicking these links, likely leading to further malicious content or downloads.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mtrrepairs.com/uploads/1/3/0/2/130289504/130289504.html#pandoc+markdown+cheat+sheet
    • http://cafeasmara.com/uploads/1/3/1/3/131379743/kajarasu_kutawebozedu_tebol.pdf
    • http://thecaringculture.net/uploads/1/3/0/8/130874067/8222103.pdf
    • http://windshiftllc.com/uploads/1/3/1/3/131383388/8743074.pdf
    • http://eridani.co/uploads/1/3/1/3/131379643/4475492.pdf
    • http://ryanmcmullan.com/uploads/1/3/1/3/131379047/sirosogobimumog.pdf
    • http://grahamwatersandson.net/uploads/1/3/0/5/130551427/zakomudefaxoj_ginenabufo_mosaraletama.pdf
    • http://thewindhorsecenter.com/uploads/1/3/1/3/131397997/zejume.pdf
    • http://doggybackseatplatforms.com/uploads/1/3/0/5/130544379/d064904b512105.pdf
    • http://interpretingconsultants.com/uploads/1/3/0/3/130379361/gepomirite-jisowif-kexiwer-fubonavej.pdf
    • http://stacey-ramos.com/uploads/1/3/0/5/130590215/af91404a9e894a.pdf
    • http://stacey-ramos
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ab1d.bin
59c0008d1849936cd6b62ee4621111d8f2cb6669ad58e438292e78635c7e5764		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAB1D 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.