Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a51944a5fb1efbf…

MALICIOUS

PDF

38.5 KB Created: 2020-03-15 05:49:19 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: af3b188fcb06a098a4881faadb2076a3 SHA-1: 50f06c6258ec221faa32dbd9f85d5c90ef501bb8 SHA-256: 8a51944a5fb1efbfa207d8e82e0abbc5da27d83b5947837e02cc5ad78e57f7a9
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many pointing to PDF files on various domains, which is indicative of a link farm or SEO abuse. The presence of a 'download button' lure further suggests an attempt to trick the user into clicking these links. While no scripts were extracted, the structure and heuristics strongly suggest a malicious intent to redirect users to potentially harmful content or facilitate further compromise.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://martape.com/uploads/1/3/0/5/130589435/130589435.html#chemdraw+pro+13.+0+free
    • http://justinalfond.net/uploads/1/3/0/2/130291624/siwiwimis.pdf
    • http://sar-casm.com/uploads/1/3/0/6/130620454/2891835.pdf
    • http://www.aqichen.business/uploads/1/3/0/2/130289496/7323150.pdf
    • http://www.silentxc.com/uploads/1/3/1/0/131071299/rokukared.pdf
    • http://deafperutour.com/uploads/1/3/0/5/130588269/mudinomanunu-bonekixexi-fufaxifag.pdf
    • http://allamericandogexpo.com/uploads/1/3/0/5/130551457/732eaeac49dc8.pdf
    • http://radiomaingo.com/uploads/1/3/0/4/130489343/pasimefekapif.pdf
    • http://gabriellehasamearphotography.com/uploads/1/3/0/7/130775712/sinepaw.pdf
    • http://thomasmontero.com/uploads/1/3/0/6/130621784/mogesozapofado.pdf
    • http://bpspecialties.com/uploads/1/3/0/6/130639766/fodupini.pdf
    • http://pro2290.com/uploads/1/3/0/7/130739264/manezutirutu.pdf
    • http://www.middletonlandcompany.com/uploads/1/3/0/4/130436318/rifuba_tosudo.pdf
    • http://www.eagleslandingcabin.net/uploads/1/3/0/3/130323455/kesazoliga.pdf
    • http://premioscocacola.com/uploads/1/3/0/3/130379172/3146304.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065ba.bin
c331e3cc34716b1f41af7cd9e20420297f67be3daaf64d650ab433655540c75d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65BA 7968 bytes
font_01_sfnt_off0000848d.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x848D 1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.