Malicious PDF — malware analysis report

Static analysis result for SHA-256 982de0f076eb39bb…

MALICIOUS

PDF

39.8 KB Created: 2020-03-16 02:44:34 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 19d4704b7eaa41575dce2e95f9b3a520 SHA-1: bb7a5a93bcf4ca1a4d459df8886164d5e9d7636e SHA-256: 982de0f076eb39bb6ddaabd8d48add7d72a4329a1af1500bc97f1883d1f10349
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, a technique often used in SEO link farms to manipulate search engine rankings or distribute malicious content. The presence of a 'download button' lure and numerous embedded URLs pointing to other PDF files suggests a delivery mechanism for further malicious content. The document body itself is heavily obfuscated and contains a mix of metadata and what appear to be URLs, reinforcing the link farm and download lure strategy.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lanie-logan.rominastiebenphotography.com/uploads/1/3/0/4/130476523/130476523.html#brandon+grotesque++mac
    • http://littlethinkers.net/uploads/1/3/0/6/130640094/ribajizoda.pdf
    • http://comingdeerstudios.com/uploads/1/3/0/5/130551160/xizizozitojurotamuve.pdf
    • http://youngandconstantin.com/uploads/1/3/0/4/130483808/8802240.pdf
    • http://griderfamily.net/uploads/1/3/0/4/130476703/41df75354.pdf
    • http://4lifehealthwealth.com/uploads/1/3/0/4/130476308/4036368.pdf
    • http://www.spacecoastag.com/uploads/1/3/0/3/130323092/gizufolasiwuzewo.pdf
    • http://pacesettersinstitute.com/uploads/1/3/0/6/130604067/8148505.pdf
    • http://spyoptionstrade.com/uploads/1/3/0/7/130739063/53ee7.pdf
    • http://ketore.com/uploads/1/3/0/5/130546645/293923.pdf
    • http://comfy-blankets.com/uploads/1/3/0/8/130814234/mevov-volaxisikup-pugemew.pdf
    • http://kruzn.com/uploads/1/3/0/2/130289620/goworedape.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000677e.bin
e598894c60868900b5e50e4e9cde0cb5a757925ab8cd1893eb2e0e550db9b68c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x677E 8272 bytes
font_01_sfnt_off00008722.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8722 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.