Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8959e98429d7589…

MALICIOUS

PDF

40.1 KB Created: 2020-04-04 10:11:57 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7eee2a90cc233fcb48afa4083a1a2572 SHA-1: daa0a4a3a7d913182d58abac78e7de257d87eefe SHA-256: a8959e98429d7589c9d92b0f309d7c24f5d42cf75475ea03da4f236127dd487d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many pointing to other PDFs, which is indicative of a link farm designed to obscure malicious intent. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document's purpose is to trick the user into downloading a password-protected archive, likely containing a malicious payload. The embedded URLs are part of this lure, directing users to potentially malicious content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ziasptyltd.com/uploads/1/3/0/6/130604505/130604505.html#https+www+apologia+combook+extras+online
    • http://mensurartopografia.net/uploads/1/3/0/8/130874308/1a4825ced.pdf
    • http://maternalinstinctdoula.com/uploads/1/3/0/6/130639867/1e4f3956e75.pdf
    • http://soulnecta.net/uploads/1/3/0/5/130550951/xinenawigivexol.pdf
    • http://yourtime2lead.com/uploads/1/3/0/5/130588257/5239260.pdf
    • http://thestyletaco.com/uploads/1/3/0/4/130478314/wanesipokuvukel.pdf
    • http://northsouthkingdom.com/uploads/1/3/0/4/130483202/23dafe.pdf
    • http://terranovamd.net/uploads/1/3/0/6/130639445/varijujikopugav.pdf
    • http://quientvpanama.com/uploads/1/3/1/3/131383959/728706.pdf
    • http://kappacommunity.org/uploads/1/3/0/6/130640197/biluxux_manulomabeninix_vapivadolaviv_mejutojaf.pdf
    • http://outreachchemistrycloud.com/uploads/1/3/0/6/130640208/punutaxomipi.pdf
    • http://thomasturkle.com/uploads/1/3/0/4/130476541/pufipasuw.pdf
    • http://arielderuvochildcare.com/uploads/1/3/0/4/130476322/f81d2.pdf
    • http://sexualgames.org/uploads/1/3/1/4/131483371/1066939.pdf
    • http://silviaprestes.com/uploads/1/3/0/4/130483155/1880275.pdf
    • http://franceswatkinsartist.com/uploads/1/3/0/3/130379627/rabudofexofeb_solojib_bibavagobomax.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007340.bin
4b15dc878a2682e5fc20454f3efa60995101694fe00889bb91f9c7b19675128f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7340 8248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.