Malicious PDF — malware analysis report

Static analysis result for SHA-256 8aaac6fd572f727b…

MALICIOUS

PDF

35.9 KB Created: 2020-03-20 04:00:12 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6827f1202505409bcc704864ba794bb8 SHA-1: 543f185fdfa30b073f895e417874dc0f3452b999 SHA-256: 8aaac6fd572f727b1bb0c9b28ed4964b2454cceded7aa32a5b0dcc2a638e0450
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a lure text suggesting it is a download for 'Adobe flash cs6 indir t k rk e'. However, static analysis reveals a large number of embedded external links, many of which point to other PDF files hosted on various domains. This indicates a link farm or redirection scheme designed to obscure the ultimate destination or to distribute further malicious content. The primary attack pattern involves social engineering through a deceptive download lure, leading users to click on a series of links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gooebuttercakes.com/uploads/1/3/0/5/130550825/130550825.html#adobe+flash+cs6+indir+t%C3%BCrk%C3%A7e
    • http://aqueoushumour.ca/uploads/1/3/0/5/130539229/55220bf.pdf
    • http://michellesoh.com/uploads/1/3/0/4/130483368/8089212.pdf
    • http://jamesogilvyphotography.com/uploads/1/3/0/7/130739529/letoza.pdf
    • http://easyorchidgrowing.com/uploads/1/3/0/7/130740524/piwekokova_mivopape_vutupinogote.pdf
    • http://betaregistration.com/uploads/1/3/0/6/130620981/bajez_jafizenux.pdf
    • http://mutinymugs.net/uploads/1/3/0/7/130740376/nuburug_suwafaked.pdf
    • http://contractorwholesale.com/uploads/1/3/0/6/130620633/vurarupejazuzoxuxi.pdf
    • http://patienthealthinfo.com/uploads/1/3/0/2/130289521/dikamovemibugipib.pdf
    • http://www.fabstieve.com/uploads/1/3/1/0/131069915/7459288.pdf
    • http://bigcreekkennels.com/uploads/1/3/0/4/130476266/7f5d5d400c.pdf
    • http://www.davidbellmislan.com/uploads/1/3/0/8/130873880/disugevomadof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005fc1.bin
b61bbd06901c253748091eb6b2daf99b03cfb703fab7008e3b06266cd741cb99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FC1 9480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.