Malicious PDF — malware analysis report

Static analysis result for SHA-256 886097dc310c4d61…

MALICIOUS

PDF

38.4 KB Created: 2020-04-09 04:02:55 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 762a135ffb2ea7f31dc41a04ae3817ee SHA-1: e8742b54e7fe76483bce2bb6552772620c8a0395 SHA-256: 886097dc310c4d61c03410c83580ff5f9c51b7e7c04967cf85e547d213a6d4a1
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link

The PDF file contains a significant number of external links, many of which point to PDF files hosted on various domains, suggesting a link farm or SEO poisoning tactic. The 'SE_BROWSER_INSTALL_LURE' heuristic indicates the document's content likely prompts the user to install a browser extension or update. This is a common social engineering technique to trick users into compromising their systems. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://designproinnovation.com/uploads/1/3/0/4/130483350/130483350.html#fx+derivatives+trader+school+giles+jewitt+pdf+download
    • http://lwmdtest.com/uploads/1/3/0/7/130740458/5712214.pdf
    • http://stretchstl.com/uploads/1/3/0/8/130813957/rodobuxobemigo.pdf
    • http://trailsofsilverlinings.me/uploads/1/3/0/2/130291523/sazizuj_vuvajedope.pdf
    • http://airstreamexpress.com/uploads/1/3/0/9/130969483/kegikisa.pdf
    • http://snipesconglomerate.com/uploads/1/3/0/6/130621125/jusofijorered-xosomel.pdf
    • http://soulsjam.com/uploads/1/3/0/3/130313436/lexivatisu.pdf
    • http://bubblecrop.com/uploads/1/3/0/5/130551927/b73218def9.pdf
    • http://bodysagespa.com/uploads/1/3/1/3/131379193/4950598.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c77.bin
b8bcad74b5f55a6875906c0e4bde47e805b7851ab76954cbc75dda1b9af47724		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C77 8416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.