Malicious PDF — malware analysis report

Static analysis result for SHA-256 87275effd295fbe8…

MALICIOUS

PDF

39.7 KB Created: 2020-04-19 12:59:15 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b5c30be37edd5025c5b7f5baeddd1ddc SHA-1: 08d78d7deb7d8f46106ebc55782eb1438c0ed1cc SHA-256: 87275effd295fbe80845dcb75bccef272ff09cc605073e4933e15c08878de470
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, many pointing to other PDF files hosted on various domains. The heuristic 'SE_PAYMENT_REDIRECT_LURE' suggests a business email compromise pattern, indicating the links may be used to redirect users to phishing pages or download further malicious content. The document body itself is largely unreadable, but the presence of the URL 'http://twinelectronicz.com/uploads/1/3/1/3/131380811/131380811.html#the+contrarian%27+s+guide+to+leadership+summary' within the body text reinforces the link-based attack vector.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://twinelectronicz.com/uploads/1/3/1/3/131380811/131380811.html#the+contrarian%27+s+guide+to+leadership+summary
    • http://prestigecoffeeroasting.com/uploads/1/3/0/6/130621587/0e2110.pdf
    • http://lawhornandassociates.com/uploads/1/3/1/3/131398278/bexufevaxegamib_letovavi.pdf
    • http://mariamexpopresentation.com/uploads/1/3/1/4/131438012/fapumipugigiwuriru.pdf
    • http://fpspiritwear.com/uploads/1/3/0/4/130483348/99734b1.pdf
    • http://id10ttechservices.com/uploads/1/3/0/3/130313513/lawuzosolajazu.pdf
    • http://pcfunited.com/uploads/1/3/0/4/130483819/nabobuvis.pdf
    • http://annanwhitney.com/uploads/1/3/0/5/130590700/8888954.pdf
    • http://ringsking.biz/uploads/1/3/0/7/130738576/8542338.pdf
    • http://autonomyjeans.com/uploads/1/3/1/6/131636719/jiwenowagedug.pdf
    • http://bulkano.com/uploads/1/3/1/0/131070926/guxedafivifexov.pdf
    • http://haulinmedia.com/uploads/1/3/0/4/130488316/soburaxilamexazilazu.pdf
    • http://proctorsilocleaning.com/uploads/1/3/1/4/131438473/wijazivasawila-raxaje-kakego-panojokedoro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007299.bin
c75315ea543696637a029aaef61d2bc4d18050f2a23bd6d364c6bf68ecd002eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7299 8384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.