Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e57d4293d442fed…

MALICIOUS

PDF

41.4 KB Created: 2020-03-16 08:57:04 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: c60d9310cfc71a7685cffdeb7c7907ac SHA-1: 00fcc79d1ac59a73c63c0091d6b158d0d223b015 SHA-256: 8e57d4293d442feda286e52a9ac4f46fa6528ae9fa71a82a1bed26e4262ab8dc
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are structured in a way that suggests a link farm for SEO purposes. One of the embedded URIs, http://qggp4l.bdgct.com/uploads/1/3/1/1/131163507/131163507.html#chernobyl+zone+arma+3, is directly referenced in the document body. The heuristic 'SE_URGENCY_LURE' indicates the document likely contains language designed to prompt immediate action from the user. The combination of these factors strongly suggests a phishing or malicious redirection attempt.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qggp4l.bdgct.com/uploads/1/3/1/1/131163507/131163507.html#chernobyl+zone+arma+3
    • http://kittenconvict.org/uploads/1/3/0/3/130379824/37a466b3305e50.pdf
    • http://www.shopsassybee.com/uploads/1/3/0/9/130969525/3644720.pdf
    • http://www.pannypointcondo.com/uploads/1/3/0/5/130588874/2bed450984d.pdf
    • http://insomniart.com/uploads/1/3/0/6/130621870/bugosobaba.pdf
    • http://joy-fully.us/uploads/1/3/0/3/130323962/6872344.pdf
    • http://www.sanctuarytherapyperth.com/uploads/1/3/0/2/130288731/dozofaguwu-wujinubufa-ninodifamiloli-nidupakidapusoj.pdf
    • http://www.projectonengo.com/uploads/1/3/0/4/130489020/8521143.pdf
    • http://columbinecabinsco.com/uploads/1/3/0/3/130323423/882d13411fcc4a4.pdf
    • http://iveymissions.org/uploads/1/3/0/7/130739996/3395722.pdf
    • http://mantenimientodinamico.com/uploads/1/3/0/2/130272918/3245532.pdf
    • http://www.b-luma.com/uploads/1/3/0/5/130542729/nusukulifupukuvidiz.pdf
    • http://electronicparking.org/uploads/1/3/0/7/130740477/masiba-vopiba-jesiv-tikizuselu.pdf
    • http://pigskinwin.com/uploads/1/3/0/7/130776032/52154018.pdf
    • http://theawesomeguide.com/uploads/1/3/0/2/130272862/edc3be2773b134.pdf
    • http://2xch.com/uploads/1/3/0/7/130776603/jitisa.pdf
    • http://corningpublictheater.org/uploads/1/3/0/4/130483096/jodapukuv_suvutiwewusotul_dareredininepe_tamilofikajegi.pdf
    • http://blog.my-creativeteam.com/uploads/1/3/0/6/130620564/xenivapewo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079ff.bin
949e22186a59077dd7bd1a4c222f22039797db4caef87f7793045940eca525fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79FF 7844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.