PDF malware analysis — malicious · 5776d8404a914a43

MALICIOUS

PDF

41.4 KB Created: 2020-03-31 06:11:30 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 796a3a57240a30cb240ac5efa69f83bd SHA-1: f90ae4f81bb03c93bda5f954903d03ebe2f4f516 SHA-256: 5776d8404a914a43d02ddf288383142d3547d36927744069e8604337b3cd5004

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body, though heavily obfuscated, contains references to educational notes, likely a lure. The presence of a 'download button' heuristic further suggests a malicious workflow aimed at tricking the user into downloading additional payloads.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://clouttrain.net/uploads/1/3/0/6/130640116/130640116.html#nationalism+in+india+class+10+notes+dronstudy
- http://asheaenterprises.com/uploads/1/3/0/3/130312920/3628247.pdf
- http://lifecontracting.ca/uploads/1/3/0/5/130540021/612ba997ba369f0.pdf
- http://chieftainsrugby.com/uploads/1/3/0/4/130476146/4093185.pdf
- http://waynebeitler.com/uploads/1/3/0/7/130738543/6317910.pdf
- http://crimsonshadowpack.com/uploads/1/3/0/7/130775758/sokawejotoba.pdf
- http://ktffoundation.org/uploads/1/3/0/6/130640126/9a554.pdf
- http://thelieswetellourselves.org/uploads/1/3/0/6/130620745/movasevojebimi_polupomisafu_binozawebenopos.pdf
- http://lifevinechurchtx.com/uploads/1/3/0/6/130604564/loludagadu_kemewipu_sodoke_fadadipuxuw.pdf
- http://yahairahernandez.com/uploads/1/3/0/7/130740210/wosadozuwimupi_fudopapoxifir_jemujufota.pdf
- http://therestaurantfixer.com/uploads/1/3/1/0/131069891/zogefejaxuxef.pdf
- http://khamoshiarts.com/uploads/1/3/0/2/130271031/8408a65796bb937.pdf
- http://mountaintimecolorado.com/uploads/1/3/1/1/131164291/vemajugujepolo.pdf
- http://countryandeasylistening.net/uploads/1/3/0/7/130739699/titeperojuvefeg.pdf
- http://mosaiclearning.org/uploads/1/3/0/4/130475881/vilozab_tuzesoj.pdf
- http://myunitedfinancial.com/uploads/1/3/0/3/130313445/9c50cbf6038986.pdf
- http://iriszphotography.com/uploads/1/3/0/5/130546096/c497a81bcad.pdf
- http://thecatwhisperer.lol/uploads/1/3/0/7/130776177/vujonirazepevivexa.pdf
- http://ashonfood.com/uploads/1/3/0/4/130488087/198343.pdf
- http://imageone.us/uploads/1/3/1/4/131410090/8cd8187376c89.pdf
- http://safifoundation.org/uploads/1/3/1/4/131407111/9565021.pdf
- http://lakecharlescw.com/uploads/1/3/0/6/130605374/xavefazi.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000078e6.bin` `15e9766ff330f59a2c91d49bdb9db4825965fc7004c15f7e682ac85234cc1582`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78E6	8080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.