Malicious PDF — malware analysis report

Static analysis result for SHA-256 577da3a0790bb496…

MALICIOUS

PDF

48.8 KB Created: 2020-04-02 11:43:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5e01ac9cf83ad32660b0cbed79b70c2a SHA-1: 2562d0a090c0176e2e2a8aec75c99c5349b7dbea SHA-256: 577da3a0790bb4968a7efad9d695ba9cca0f7bb83b559f9ca700ba843b2c715a
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body suggests a lure for a "heat transfer ebook free download", which is likely a pretext to encourage clicks on the embedded malicious URLs. The heuristic PDF_SEO_LINK_FARM indicates a high volume of links, suggesting a link farm or SEO manipulation tactic. The primary malicious URL identified is http://referral360network.com/uploads/1/3/0/7/130739049/130739049.html#heat+transfer+ebook+free+download.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://referral360network.com/uploads/1/3/0/7/130739049/130739049.html#heat+transfer+ebook+free+download
    • http://nordicinter.net/uploads/1/3/0/4/130488401/vavanewefivawop.pdf
    • http://lisambauder.com/uploads/1/3/0/4/130483325/tetafaxorijalig.pdf
    • http://coachingpatients.com/uploads/1/3/0/6/130620209/mafubivewimir.pdf
    • http://awazetour.com/uploads/1/3/0/2/130291658/zamaxudema-donuxima-xusipab.pdf
    • http://dartac.nl/uploads/1/3/0/5/130590375/8445076.pdf
    • http://5053lankershim.com/uploads/1/3/0/7/130775485/9845033.pdf
    • http://colectivopazybien.org/uploads/1/3/0/5/130551726/9e665f1e95a23.pdf
    • http://sacyapi.com/uploads/1/3/0/5/130551727/zikaweka.pdf
    • http://mediadunes.com/uploads/1/3/0/2/130270990/5869608.pdf
    • http://realmisterketo.com/uploads/1/3/0/5/130590383/gevugaras.pdf
    • http://chotchkiss.com/uploads/1/3/0/9/130969532/venedazavesivoli.pdf
    • http://mobileesthetics.net/uploads/1/3/1/3/131379061/6049253.pdf
    • http://rocklandcountydoula.net/uploads/1/3/0/7/130775220/kusekebasufa.pdf
    • http://domesticviolenceexpertwitness.org/uploads/1/3/0/2/130272859/jomofekaxu.pdf
    • http://cclg-global.com/uploads/1/3/0/6/130604798/gozulekupev-gukotadupe-desas-wogojubezasi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008201.bin
641ad23009bf01e584e4e4a6d2013fb4385db1afaca4fe1c1e88fcec956711c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8201 7924 bytes
font_01_sfnt_off0000a0d1.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0D1 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.