Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cb8b71cd6443e9c…

MALICIOUS

PDF

36.2 KB Created: 2020-05-15 03:52:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f151a4c61d9a780b67fe37be8fdc9b0 SHA-1: 58d0f19f6a932997645397961ae31503528660c7 SHA-256: 9cb8b71cd6443e9c48ca3d91ce29b1a153f2edcbc616972c2e5d5ac8aea75776
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many pointing to other PDF files, indicative of a link farm or SEO spam campaign. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document is designed to trick users into believing they need a password to access an archive, a common tactic to bypass gateway security. No scripts were extracted from this sample, limiting the ability to determine the exact payload or execution method.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rebeccalaplacaattia.com/uploads/1/3/0/5/130551551/130551551.html#online+antivirus+scan+for+android+mobile
    • http://aivets2018.eu/uploads/1/3/1/6/131636960/bd5efa39.pdf
    • http://zeeshanbaig.com/uploads/1/3/0/2/130272640/tosun-melalukadeku.pdf
    • http://designsbydarline.com/uploads/1/3/0/7/130775589/natamijataxelaxopu.pdf
    • http://caindianstudies.org/uploads/1/3/0/2/130289542/2667515.pdf
    • http://loreleiday.com/uploads/1/3/1/8/131856146/relax.pdf
    • http://wellnesshealthconsultants.com/uploads/1/3/0/5/130590569/gapowewupanate_buxawava_funexefubiwijum_naroritebimixos.pdf
    • http://jetoyzone.com/uploads/1/3/0/2/130291623/1787549.pdf
    • http://maeganprovan.com/uploads/1/3/0/9/130968995/1862601.pdf
    • http://cupofjavaproductions.com/uploads/1/3/1/1/131163927/wafotumi-nesezexakolib-xarixa.pdf
    • http://beyondthebasicsinc.org/uploads/1/3/1/1/131163834/fevivot_ridefad_donapofo_xadozerovu.pdf
    • http://radiomajaja.com/uploads/1/3/0/6/130639867/tigasu.pdf
    • http://compasspointproperties.com/uploads/1/3/0/5/130589145/lokukonagugiwusu.pdf
    • http://gamechanger-media.com/uploads/1/3/0/7/130739919/6682459.pdf
    • http://deninteractives.com/uploads/1/3/1/8/131871762/4967275.pdf
    • http://alchemiventures.com/uploads/1/3/1/6/131636872/venenidedis.pdf
    • http://graphite.agency/uploads/1/3/0/2/130271054/1448280.pdf
    • http://yourownblueprint.com/uploads/1/3/1/6/131606330/jevexewev.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006280.bin
151bf92cf5e50a0e48c1020c27f9e8f5700bffeca41f9af8fdb19bd776f66d35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6280 10116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.