Malicious PDF — malware analysis report

Static analysis result for SHA-256 596623008c5ba6e2…

MALICIOUS

PDF

36.2 KB Created: 2020-03-12 05:09:02 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 88751e4e706d437eb016435b3fdbcd3a SHA-1: 73c0dabb0a16186522f3a927f2b5e0959e96e046 SHA-256: 596623008c5ba6e2be8da26ea4901c92681a4f839d3fee0186a75c95e4717961
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which are hosted on domains that appear to be part of a link farm. One of the embedded links, http://74-123-73-184.mgwnet.com/uploads/1/3/0/6/130620302/130620302.html#acer+aspire+one+d257+bios+update+download, suggests a lure for a BIOS update. The presence of numerous unknown external URLs indicates a likely attempt to redirect the user to malicious content or download further payloads.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-73-184.mgwnet.com/uploads/1/3/0/6/130620302/130620302.html#acer+aspire+one+d257+bios+update+download
    • http://emilykeelerforcitycouncil.com/uploads/1/3/0/7/130738715/f4c28.pdf
    • http://tesslawrence.com/uploads/1/3/0/2/130288811/4ab88d6f698a27.pdf
    • http://borders.space/uploads/1/3/0/5/130588299/c4f8d16147.pdf
    • http://www.berthtv.com/uploads/1/3/0/6/130604088/4dc7b521d9500f4.pdf
    • http://teambassknob.com/uploads/1/3/0/8/130814782/9445018.pdf
    • http://rak4humanity.com/uploads/1/3/0/5/130589042/livejebewigasasolo.pdf
    • http://www.cantabileartsmanagement.com/uploads/1/3/0/6/130621301/mafixareri_poraxopug.pdf
    • http://www.gardenonthehills.com/uploads/1/3/0/4/130488924/ferufikom.pdf
    • http://procreditsol.com/uploads/1/3/0/6/130603692/5912411.pdf
    • http://delightyourspirit.com/uploads/1/3/0/8/130813643/6431294.pdf
    • http://suzart.org/uploads/1/3/0/4/130483271/2138549.pdf
    • http://edgrowthgroup.net/uploads/1/3/0/3/130323437/gulutinulapap-tugozutuligi-xisomabaga.pdf
    • http://naturallysport.net/uploads/1/3/0/3/130313067/5331911.pdf
    • http://www.love-at-first-sit.com/uploads/1/3/0/7/130739711/cbebc361cfa98.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006514.bin
142ab6e94e905a9ba1c1b030e9eb63b2f58a5b9c6e4b06d5109125854d15b5c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6514 7772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.