Malicious PDF — malware analysis report

Static analysis result for SHA-256 9524b6113e5ad792…

MALICIOUS

PDF

66.0 KB Created: 2020-06-13 12:06:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7b5cfd0aba66a2f3ed7a38601dacf864 SHA-1: 489e175a5e05294672424529c25109f83cd3cb6f SHA-256: 9524b6113e5ad7923988b3481eb72a71cab6db1fa8bfe8a4369b785d799c91ee
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a significant number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. One of the primary external links is http://74-123-77-55.mgwnet.com/uploads/1/3/1/3/131384081/131384081.html#soleado+otra+vez+ma%25C3%25B1ana+ep+116+drama. The document body contains garbled text along with the same URL, suggesting a lure to a potentially malicious website. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-77-55.mgwnet.com/uploads/1/3/1/3/131384081/131384081.html#soleado+otra+vez+ma%25C3%25B1ana+ep+116+drama
    • http://designingfordementiajp.net/uploads/1/3/0/9/130969740/d5a01525708.pdf
    • http://deboramricks.com/uploads/1/3/0/4/130476503/kemovukigo.pdf
    • http://blindsail.com/uploads/1/3/0/4/130483863/dimawumafo_buworezi.pdf
    • http://tcuroxo.com/uploads/1/3/0/6/130605335/3225012.pdf
    • http://peterdimuro.com/uploads/1/3/0/8/130814459/kemojetoxubatagisi.pdf
    • http://hawaiianliterature.org/uploads/1/3/1/8/131871614/876990.pdf
    • http://220-ilo.ilovedropmint.com/uploads/1/3/0/3/130313063/3126162.pdf
    • http://gloriouslightcm.net/uploads/1/3/1/3/131383825/wirubawizolobewipe.pdf
    • https://sexobonuva.files.wordpress.com/2020/06/6678639395.pdf
    • https://mipogenulefi.files.wordpress.com/2020/06/tejusoxozolozulasirowir.pdf
    • https://zonutubuw.files.wordpress.com/2020/06/tujowel.pdf
    • https://mawefewo.files.wordpress.com/2020/06/14088458580.pdf
    • https://banisozix.files.wordpress.com/2020/06/zasikawujikaluvozar.pdf
    • https://xezifemubet.files.wordpress.com/2020/06/32989905506.pdf
    • https://zaremusajoxi.files.wordpress.com/2020/06/zaloguselowa.pdf
    • https://zabalojiji.files.wordpress.com/2020/06/26815512800.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ceae.bin
7c72c9ff27978f582a7e0ec366071cbe98c45820969de34bcbe3a0e6c0349c31		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCEAE 13280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.