Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e9be81a0bc60078…

MALICIOUS

PDF

48.9 KB Created: 2020-04-14 21:06:16 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 085fdb3557626b5c11d0b3d8578d5141 SHA-1: 4ee12d0596ac75df4ad776d549944a7d30e676ba SHA-256: 9e9be81a0bc6007841db63b1a7ff34454de0e8cee3eab80a8cf510b3c35d27ad
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a heuristic firing for a 'Callback phishing phone lure' and a 'PDF_SEO_LINK_FARM' which indicates a large number of external links. The document body, though heavily obfuscated, contains a URL that appears to be a lure related to an Android update. The presence of numerous external links, including those with numeric slugs and potentially misleading filenames, suggests an attempt to direct users to malicious or phishing sites.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hermajesticbeauty.com/uploads/1/3/0/2/130288399/130288399.html#aggiornamento+android+9+huawei
    • http://sharonechin.com/uploads/1/3/0/5/130588960/puwazujiwa-jowurona-tazefoxasexoz.pdf
    • http://fieldresourcesinternational.com/uploads/1/3/1/4/131437418/e77225.pdf
    • http://healthcaresimulationconsultant.ca/uploads/1/3/0/2/130291350/2940230.pdf
    • http://premierbwmassage.com/uploads/1/3/1/3/131384260/pilofudal.pdf
    • http://cultivationx.com/uploads/1/3/0/2/130271152/zabizu_jokujorexi_xefed_lelidip.pdf
    • http://freetheperiod.com/uploads/1/3/0/6/130639779/349263.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008ad0.bin
47aa851797f3aec88b24b4118e12df01a89efc79c0951bae7cfa2c5df07e94a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AD0 9764 bytes
font_01_sfnt_off0000ae36.bin
bb66d78edca8aa75a8db461931e44ad6eab12e4cd439df836d92d13c6ef6c22d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE36 2668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.