Malicious PDF — malware analysis report

Static analysis result for SHA-256 a898ee7cc393e761…

MALICIOUS

PDF

52.7 KB Created: 2020-05-21 11:53:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 72dad915fa8da590816be2307aaaa46c SHA-1: 3ef726c97cba75cb096cc99eaed6e7b3ca2bd7c0 SHA-256: a898ee7cc393e7612d3c33a71c68d0aad3b9566b0dd523aaed7b6d0d38307ec0
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, indicated by the PDF_SEO_LINK_FARM heuristic. The document body contains text related to software licenses and application metadata, suggesting a lure. The primary attack pattern involves redirecting users to numerous external domains, likely for SEO spam or to host further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://victorypayrollsolutions.com/uploads/1/3/0/6/130639590/130639590.html#licencia+eset+nod32+antivirus+9
    • http://insotalt.com/uploads/1/3/1/3/131382032/bukun_wixitoxusat_pijatololejop_zopedamodabo.pdf
    • http://bigopmediainc.com/uploads/1/3/0/7/130740217/wefaselig_zetevomo_subijav_doribil.pdf
    • http://natalieeldridge.com/uploads/1/3/0/6/130603809/1747040.pdf
    • http://insequ.com/uploads/1/3/1/3/131380848/e4d1eb7a1.pdf
    • http://alexparkinson.org/uploads/1/3/0/6/130604414/vurin-nodezisebu-tanutejuvupox.pdf
    • http://mymssp.net/uploads/1/3/0/9/130969053/b7db1469d.pdf
    • http://hiphopsdamagecontrol.com/uploads/1/3/1/4/131437693/sowedowawasitumoz.pdf
    • http://kingsandqueensny.com/uploads/1/3/0/2/130272426/gozogu_jopaguvokusetux.pdf
    • http://jsnobles.com/uploads/1/3/0/6/130621345/8314474.pdf
    • http://allinonevacs.com/uploads/1/3/0/5/130539185/9509527.pdf
    • http://storytimecorner.com/uploads/1/3/1/1/131163683/maparebukaz-jeparosetopis.pdf
    • http://sheastrong.org/uploads/1/3/0/5/130538875/zomesubaxenaxe.pdf
    • http://rockymountainmusicfestival.net/uploads/1/3/0/6/130639236/bubumudilam.pdf
    • http://sendyouasong.com/uploads/1/3/0/9/130969747/9669502.pdf
    • http://kolaygirisim.com/uploads/1/3/0/4/130478374/c8cedfc5e214d38.pdf
    • http://leavesbylyrik.com/uploads/1/3/0/6/130605248/mupirat_gerudaxuveler_xowujuxefuduf.pdf
    • http://auctiontrainers.com/uploads/1/3/0/7/130740212/vikefopubawoviduta.pdf
    • http://romancified.com/uploads/1/3/0/6/130639896/koborexite.pdf
    • http://adventuresinfaith.net/uploads/1/3/0/6/130620942/bitulupokujavef_zetumokudavi_jigeruv.pdf
    • http://mycommunity.nyc/uploads/1/3/1/0/131070407/jufoti.pdf
    • http://infermiereinzona.com/uploads/1/3/0/2/130289485/9104141.pdf
    • http://mjgiftscompany.com/uploads/1/3/0/5/130543133/toxonija.pdf
    • http://kbartistry.net/uploads/1/3/1/4/131438557/ratumekero-tiximixunabofu-perusogepenow-jubipopib.pdf
    • http://prnstaffingsolutions.org/uploads/1/3/1/3/131383733/a825476ef27.pdf
    • http://silvanfriedman.com/uploads/1/3/0/6/130621847/busagabesen_kodubiruwanubu_jokigof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dff.bin
ffeb89eaad713c9717385028f79c9757067aafb2c2382ea8cbab0e6efe35a425		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DFF 6744 bytes
font_01_sfnt_off00007edb.bin
ba73f21ddc86149a129f02267fc66c249d57f059994a016b16354747eb6392c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EDB 2396 bytes
font_02_sfnt_off0000899e.bin
a3e103802d2138a2887f7616b55adb4320ff6eba7a86e39aec196fdc83f569a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x899E 11668 bytes
font_03_sfnt_off0000afdd.bin
2ec471bc1dd097ba7445d0d98fae4076614f7d308a936bf5c28a382db3fe60d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAFDD 16304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.