Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a508f10ae88e96f…

MALICIOUS

PDF

35.5 KB Created: 2020-06-04 05:46:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7cdb38f792054acabc1dacc6b19c1a00 SHA-1: 4835d03c39e1af5e14dc3d038bc3364b046d9bd5 SHA-256: 8a508f10ae88e96fb712e9f0c4a71ded7e491f070787e9eb72d58a4546b80eea
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous external links, a common technique for SEO poisoning or directing users to malicious sites. The heuristic 'SE_INVOICE_LURE' indicates the document's content is designed to mimic an invoice or payment request, further encouraging user interaction with the embedded links. The primary link identified is http://ryleemackenzie.com/uploads/1/3/1/6/131606563/131606563.html#contra+revenue+account+list, which likely leads to a malicious payload or phishing page.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ryleemackenzie.com/uploads/1/3/1/6/131606563/131606563.html#contra+revenue+account+list
    • http://kc-marren.com/uploads/1/3/0/7/130738998/4184376.pdf
    • http://makesomethingilove.com/uploads/1/3/1/0/131070774/wukilelurimi.pdf
    • http://tkacabin.com/uploads/1/3/1/6/131636675/todet.pdf
    • http://true-skillz.com/uploads/1/3/1/3/131383958/topuwo.pdf
    • http://queerhealthmaine.org/uploads/1/3/1/4/131437064/rigunoroxiwi_vurok_masedesezavenur.pdf
    • http://mobil-krane.de/uploads/1/3/0/4/130476505/sugoboxo-kugukivogoro.pdf
    • http://womadixfund.org/uploads/1/3/1/4/131453810/2996a2f.pdf
    • http://greenvenient.com/uploads/1/3/0/2/130289292/nakato-pegugu-sojelis.pdf
    • http://ryleemackenzie.com/uploads/1/3/1/6/131606563/terms.html
    • http://ryleemackenzie.com/uploads/1/3/1/6/131606563/dmca.html
    • http://ryleemackenzie.com/uploads/1/3/1/6/131606563/policy.html
    • https://lafukaraziba.files.wordpress.com/2020/06/70393988382.pdf
    • https://dekupuwapo627084595.files.wordpress.com/2020/06/merekofenuk.pdf
    • https://sosinogezop.files.wordpress.com/2020/06/19488530520.pdf
    • https://giwubijadefe.files.wordpress.com/2020/06/nirisovuxamapejixetubi.pdf
    • https://wozokaju.files.wordpress.com/2020/06/2373157969.pdf
    • https://gipugof.files.wordpress.com/2020/06/64343671994.pdf
    • https://sakeweter812408916.files.wordpress.com/2020/06/27330667722.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000618d.bin
5fbe9ad6a96298ad8a84cff1339ecbdbaad8f81c4500fbe8791225f3a1ae8be5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x618D 9532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.