Malicious PDF — malware analysis report

Static analysis result for SHA-256 83c2be85cefbce65…

MALICIOUS

PDF

85.6 KB Created: 2020-03-24 19:09:44 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5b99110508641041e6c9dac711d3062c SHA-1: c0fa27fa3d50a83a6c6fdbe2fb7a893d3562ae6d SHA-256: 83c2be85cefbce658759f087967d8c2ae7cb0b053d6a60965fd9076761194623
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to other PDF files hosted on various domains. This behavior is indicative of a link farm or a redirection mechanism designed to obscure the ultimate destination. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests this is a malicious technique. The document body contains a reference to 'The crying game definition' and metadata indicating it was generated by wkhtmltopdf, which could be a lure or part of the obfuscation. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery or execution methods.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wiinmark.net/uploads/1/3/0/7/130738939/130738939.html#the+crying+game+definition
    • http://theglasscarousel.com/uploads/1/3/0/5/130539101/071dfb57e1b57.pdf
    • http://vectorbelle.com/uploads/1/3/0/8/130814774/movotejufaluj.pdf
    • http://oncologybiosimilars.com/uploads/1/3/0/6/130639479/sivakunusas.pdf
    • http://englishsynergy.com/uploads/1/3/0/5/130546759/panezudakumubu_larod.pdf
    • http://rockgardencafewtn.com/uploads/1/3/0/9/130969862/nemipamukap.pdf
    • http://plannedgivingbooks.com/uploads/1/3/0/5/130539348/karuretudadov.pdf
    • http://www.glory2hisname.com/uploads/1/3/0/6/130604606/3818324.pdf
    • http://mzocoill.com/uploads/1/3/0/4/130488732/9904624.pdf
    • http://www.kissimmeeblogistics.com/uploads/1/3/0/4/130488666/21320d8.pdf
    • http://plumtreefloraldesign.com/uploads/1/3/0/3/130313247/6c26f.pdf
    • http://ukuleleillawarra.com/uploads/1/3/0/5/130543261/7459404.pdf
    • http://carpetcleanergrandrapids.com/uploads/1/3/0/8/130874247/8496110.pdf
    • http://mommyslittlewonders.com/uploads/1/3/0/7/130775536/vutive.pdf
    • http://webdisk.creekdontriseband.com/uploads/1/3/0/6/130605097/6b3f1b225.pdf
    • http://shadowhorseprodcutionsllc.com/uploads/1/3/0/2/130287211/surigo.pdf
    • http://merakidestinationmanagement.com/uploads/1/3/0/9/130969714/4546555.pdf
    • http://pure7studios.net/uploads/1/3/0/7/130738764/e7cfe75b9840.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0001139d.bin
1e7f193219d252bff7b131d265a249595c1ec3ea33720dd30cb827603748dbae		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1139D 19308 bytes
font_00_sfnt_off0000a049.bin
b1118302c5517eb61a6a239cbb0c0398f36a596cc95e76ebefef7294164c1510		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA049 7316 bytes
font_01_sfnt_off0000b32f.bin
bbd465158f88620f6b89bbc14fd4053a393fda34b464cf5d9625b9580ee6f51f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB32F 10240 bytes
font_02_sfnt_off0000c943.bin
0c66d4669bbe99d3540862f614207026d544a2251b29300b319c9e959083211c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC943 11980 bytes
font_03_sfnt_off0000f084.bin
03742b3af56d0894ab5df65dc3134d6d1f1537ecfbbc759efc3d5c9763d8381a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF084 6908 bytes
font_04_sfnt_off00010738.bin
4c93801c4768b9cf34ec960e4f85d683fdbe353adcc5a9e70f9f8b41c5e92470		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10738 3508 bytes
font_06_sfnt_off000133e7.bin
209285855742c6758e3ffd9d874aca3910af01dd296ec59719b0eb83c6708343		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133E7 7080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.