Malicious PDF — malware analysis report

Static analysis result for SHA-256 94c8eaa02a641d41…

MALICIOUS

PDF

36.9 KB Created: 2020-06-07 22:44:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aa3d292584b91e60f8d86390664eccdf SHA-1: 30ea1705231ba6fff7edc8208835a7b57a4931fd SHA-256: 94c8eaa02a641d41dc551c891354253740c640d46f37faca56f92c5c094d9de6
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF document contains a large number of external links, many of which point to other PDF files, suggesting a link farm or redirection scheme. The presence of a 'Security software disable instruction' heuristic firing indicates a strong attempt to bypass security measures. The document body also contains a call-to-action phrase related to downloading Terraria, further supporting a lure-based attack pattern. The numerous external URLs and the instruction to disable security software are the primary indicators of malicious intent.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://acompassforcalm.com/uploads/1/3/1/0/131070011/131070011.html#terraria+1.3+5.3+download+pc+mediaf%25C4%25B1
    • http://falaliyulechengbaijialehaowan.br3h.com/uploads/1/3/0/7/130776788/97648e.pdf
    • http://cpanel.savonneriecosmetiquedelabaie.ca/uploads/1/3/0/6/130639428/fetovaxirokip.pdf
    • http://pasifiko.com/uploads/1/3/0/2/130272484/aabc929c8e1b.pdf
    • http://fairchilddentalservices.com/uploads/1/3/0/6/130620412/mavug_vupubozoxi_rizezaxemabadi.pdf
    • http://doraslodge.com/uploads/1/3/0/7/130738711/linojikulukofaw-gitulofijode.pdf
    • http://lyne.solutions/uploads/1/3/0/6/130620878/be3c5e140b57cd.pdf
    • http://gooebuttercakes.com/uploads/1/3/0/6/130605263/9ac8046c7.pdf
    • http://chucklecottage.com/uploads/1/3/1/4/131455722/f4956bafc07.pdf
    • http://roadapedia.com/uploads/1/3/0/2/130288552/566690eccd09.pdf
    • http://mail.massageformommies.com/uploads/1/3/1/3/131383613/mureledoli-rikamenemep-pefate-lunijekutetetin.pdf
    • https://tigizenawa.files.wordpress.com/2020/06/maremikura.pdf
    • https://lamizawozaf.files.wordpress.com/2020/06/mewudod.pdf
    • https://vizimixez.files.wordpress.com/2020/06/89415800264.pdf
    • https://nuredetadu.files.wordpress.com/2020/06/96077987410.pdf
    • https://tozoxisot.files.wordpress.com/2020/06/24959030419.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060df.bin
8694e0983ccf916be5764bee16cf9259fca0bc0a90d10898ad0286007a578ab3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60DF 11000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.