Malicious PDF — malware analysis report

Static analysis result for SHA-256 91ca10737558b5dc…

MALICIOUS

PDF

41.5 KB Created: 2020-04-06 03:18:38 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 43d2ed2f233a769fc3bbfd810b3a65cb SHA-1: bbc7bc2f9a2b422f0837735372ab0a86d0774263 SHA-256: 91ca10737558b5dc364bb27d9ef51cfa33f181d0be6d892ffede200f3eb31917
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, a common technique for SEO poisoning or distributing malicious content. The document body presents a question about calorie counts, which is likely a lure to direct users to the embedded URLs. The primary heuristic indicates a 'PDF_SEO_LINK_FARM', suggesting the document's purpose is to host a mass of external links. The IOCs are the numerous URLs extracted from the document.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://joshleephotojournalist.org/uploads/1/3/0/5/130550800/130550800.html#how+many+calories+are+in+one+taco+bell+crunchwrap+supreme
    • http://bdcohenlaw.com/uploads/1/3/0/2/130289213/7046499.pdf
    • http://heathercromwell.net/uploads/1/3/0/7/130775619/2851568.pdf
    • http://cleanandgreenhvac.com/uploads/1/3/0/2/130289448/vufidataxofoki.pdf
    • http://itssewcutely.com/uploads/1/3/0/4/130435570/6545549.pdf
    • http://biwifoods.com/uploads/1/3/0/5/130550848/kixadajipejarajituk.pdf
    • http://jeremyclwong.com/uploads/1/3/0/7/130776239/3e115f3.pdf
    • http://aladdinsbakery.com/uploads/1/3/0/6/130639426/3038387.pdf
    • http://tuslawmustangsfootball.com/uploads/1/3/1/3/131384368/muraka-lameguvojaxizog-zafutavesegew-zisat.pdf
    • http://resolute-sf.com/uploads/1/3/0/6/130639230/vetepabo.pdf
    • http://salessocks.com/uploads/1/3/0/4/130478314/1d1e01b8416.pdf
    • http://whiteoakwoodsandtees.com/uploads/1/3/0/7/130776295/0d61d7.pdf
    • http://aaronpeskin.org/uploads/1/3/1/4/131407183/rerajewuveka-gines-metokenav.pdf
    • http://performanceinspired.com/uploads/1/3/0/8/130813897/vopokajom_vupif.pdf
    • http://faninmotion.com/uploads/1/3/0/2/130289256/3647346.pdf
    • http://lifeonislandtime.com/uploads/1/3/0/8/130814122/torebotupot_zujeg_faluk_sufofawuw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078cd.bin
c19ba956d5182e8b41f23cc4f644104889097d7a327f625af318a2e4f12cde49		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78CD 8320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.