Malicious PDF — malware analysis report

Static analysis result for SHA-256 a93b1922c1ffebda…

MALICIOUS

PDF

39.7 KB Created: 2020-06-06 01:17:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fcbf48d1f73fec9316904f821d60a626 SHA-1: 082d31cdaca74d23ec67d7c633a09fae6d906dc3 SHA-256: a93b1922c1ffebda51ea1603ae67dae96a301422c6f5189fea72acb1ad9f9f40
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or a distribution point for malicious content. The presence of a 'download button' lure further supports a malicious intent. The document body contains a mix of seemingly unrelated text and URLs, including a specific lure for 'one direction songs full album download', which is likely a social engineering tactic to entice users to click on the embedded links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://churchstrettontaxi.com/uploads/1/3/1/1/131163955/131163955.html#one+direction+songs+full+album+download
    • http://smtp.optimizedintellect.com/uploads/1/3/1/3/131383404/xawapidulapewabiza.pdf
    • http://beta.taskedapp.com/uploads/1/3/1/6/131637108/4331919.pdf
    • http://thebenefitsone.com/uploads/1/3/0/6/130621447/timal.pdf
    • http://6985route21.com/uploads/1/3/0/7/130739333/xifaxidudowa_jitabobatabixu.pdf
    • http://312woodworking.com/uploads/1/3/1/4/131408099/vivamub_dabisonakox.pdf
    • http://churchstrettontaxi.com/uploads/1/3/1/1/131163955/terms.html
    • http://churchstrettontaxi.com/uploads/1/3/1/1/131163955/dmca.html
    • http://churchstrettontaxi.com/uploads/1/3/1/1/131163955/policy.html
    • https://peribigugur.files.wordpress.com/2020/06/jafopitafejotaxefu.pdf
    • https://naxopovo.files.wordpress.com/2020/06/52349348418.pdf
    • https://fupalowonega.files.wordpress.com/2020/06/lusesewazamebijodo.pdf
    • https://wakatox.files.wordpress.com/2020/06/mivuzumidolisesanadol.pdf
    • https://rutoboxeg.files.wordpress.com/2020/06/28085971587.pdf
    • https://tusofagupi.files.wordpress.com/2020/06/welugubawufun.pdf
    • https://betusomoru.files.wordpress.com/2020/06/vuwelevoberuzibuso.pdf
    • https://segurako57848594.files.wordpress.com/2020/06/tamakugetidimaxomosol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e1e.bin
2cf3e565ea9d20f2b7ced258b0d10267e13281d485ea9b38c6b230d1c179dc70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E1E 11232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.