Malicious PDF — malware analysis report

Static analysis result for SHA-256 89e9f1e3dd63578a…

MALICIOUS

PDF

44.9 KB Created: 2020-04-06 13:11:16 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4c6256d570b007db0b45928965e22873 SHA-1: 02201abe6727b1079c6f63e4859a1c04f97575e8 SHA-256: 89e9f1e3dd63578aa17b9ec750ecd6a235cae8f874a17aae4068a4581868d41c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or redirection strategy. The document body is heavily obfuscated and contains embedded URLs, reinforcing the attack pattern of directing users to external resources. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qualitativeresearchvideojournal.org/uploads/1/3/1/4/131437515/131437515.html#saturated+steam+table+metric
    • http://agcomllc.net/uploads/1/3/0/3/130313670/lozuzilorajiwap.pdf
    • http://asociacioncristianabiblicaporextensiondenicaragua.com/uploads/1/3/0/6/130604536/9568741.pdf
    • http://quvr.us/uploads/1/3/0/6/130621641/0321db8096a9b4.pdf
    • http://midwestcraftshow.com/uploads/1/3/0/8/130874330/xuwifonukikexuf_zofedi_wunixumepa.pdf
    • http://whispersandwisdom.com/uploads/1/3/0/8/130813400/8f9e7d65.pdf
    • http://arc-carpentry.com/uploads/1/3/0/5/130547450/wufami-sikudomorefori-wifazarixavidor.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007f2e.bin
9aad008e2cf2b473edc56432397de6079a1d97379dc55e9548fdbeb14cfc54ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F2E 7700 bytes
font_01_sfnt_off00009d35.bin
9f5082701ede3b34412025578f3613d16372f7e661c8785cd8d7b7f4cdd3c0ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D35 2800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.