Malicious PDF — malware analysis report

Static analysis result for SHA-256 57e66fa41032bd91…

MALICIOUS

PDF

35.9 KB Created: 2020-05-13 00:49:22 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: d82865dd4db0cd3288c9fdd91e427a99 SHA-1: 83521c3299b4302c7271555afca3dca0a23f341b SHA-256: 57e66fa41032bd914c1d64f0288d70b0fc5eeb9c8f5f9a41d4232cefbcd3e452
70 Risk Score

Malware Insights

MITRE ATT&CK
T1599 Acquire Infrastructure T1599.001 Subdomain Acquisition

The PDF file contains a large number of external links to other PDF files hosted on various domains, indicating a link farm or SEO manipulation tactic. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, with 30 external links detected. The presence of a 'download button' lure further suggests an attempt to entice user interaction with these links. The primary attack pattern is to leverage these numerous external links for malicious purposes, such as distributing further malware or engaging in SEO spam.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://janicebryansrmt.com/uploads/1/3/0/6/130639852/130639852.html#knowledge+transition+plan+template+excel
    • http://sherrodinstitute.com/uploads/1/3/1/0/131070378/7d5d3.pdf
    • http://sanddigital.org/uploads/1/3/0/6/130603835/seriw.pdf
    • http://liverpooldiscofestival.com/uploads/1/3/0/6/130639258/48e9a6fe.pdf
    • http://classicevaluators-usa.com/uploads/1/3/1/3/131383837/gaputuludafupo_tevixuxiw_pibowixezaf_jujoxugeza.pdf
    • http://sparksphilippines.com/uploads/1/3/0/4/130489075/5184079.pdf
    • http://montgomerycountyhumanesocietync.com/uploads/1/3/0/7/130775310/gepitek.pdf
    • http://holisticsignature.com/uploads/1/3/0/2/130288431/jesitimizexixuji.pdf
    • http://domrabotnicabezposrednikov.ru/uploads/1/3/0/2/130272600/wasalowakufepesi.pdf
    • http://elusvoutfitters.com/uploads/1/3/0/2/130289801/ebbb3bbdff.pdf
    • http://truexportadot.com/uploads/1/3/1/4/131407958/6089696.pdf
    • http://toddletots.ca/uploads/1/3/1/4/131437627/2769523.pdf
    • http://mb-style.com/uploads/1/3/0/5/130551124/8590945.pdf
    • http://annageorgiou.com/uploads/1/3/0/8/130814115/jivigar.pdf
    • http://kenoshaforgottenfriends.com/uploads/1/3/0/2/130287548/jowin.pdf
    • http://bcisimulation.com/uploads/1/3/0/2/130272890/xijawovemebuzijud.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000618f.bin
0396493143d655f35bb3eadc86fdbcc19191619184034709e4fca8982ef4ac91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x618F 10000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.