Malicious PDF — malware analysis report

Static analysis result for SHA-256 9dc1b0eb56e3a696…

MALICIOUS

PDF

41.6 KB Created: 2020-05-04 15:10:14 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 669c3db933ae331928ff6700e19ec882 SHA-1: b8120ad98f7d621ff652675fa39f9573e276943f SHA-256: 9dc1b0eb56e3a69699df64f5ce9dda463fb7bcbcba27d7d8484068dc72a93564
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many pointing to other PDF files, suggesting a link farm for SEO manipulation or to host further malicious content. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates that the document likely instructs the user to open a password-protected archive, a common tactic to bypass security scanning. The embedded URLs are likely part of this lure, directing users to download or access the next stage of the attack. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://arssystemscorp.com/uploads/1/3/1/4/131405940/131405940.html#bohemian+rhapsody+sheet+pdf
    • http://pocketfriendlyonline.com/uploads/1/3/0/2/130270798/6785921.pdf
    • http://verticeinteligencia.com/uploads/1/3/0/3/130323633/mukigomawiniwaz.pdf
    • http://zefi.eu/uploads/1/3/0/2/130289282/zuripomogodegi.pdf
    • http://ginashiddentreasures.com/uploads/1/3/0/7/130740212/d2668979676f7.pdf
    • http://brownstonesells.com/uploads/1/3/0/6/130620750/1de6af.pdf
    • http://45innovations.com/uploads/1/3/0/6/130620828/sesim.pdf
    • http://kimprintzcustoms.com/uploads/1/3/0/3/130379466/lifused.pdf
    • http://puertoricandj.com/uploads/1/3/1/4/131437733/zukoredowa-sakojufusudi-ruzamusas.pdf
    • http://centxpracticemgmt.com/uploads/1/3/0/4/130478819/0ee96459ca394.pdf
    • http://stockadefarm.com/uploads/1/3/1/1/131164121/livugani.pdf
    • http://writersboutique.ca/uploads/1/3/0/5/130550803/2666584.pdf
    • http://specialyogaworks.org/uploads/1/3/0/5/130550781/zodukapilusaru.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007336.bin
0d9ab8f45c3b2f2004a1e2d093aa060589ae1a084409bfa71564d9d2cbe57fde		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7336 12072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.