PDF malware analysis — malicious · aa68d0e25c6a2da2

MALICIOUS

PDF

39.4 KB Created: 2020-03-15 02:16:11 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: e791dd664d8adf67f85a0155a76c07f2 SHA-1: ea955ab1fcc42ddce0b0be45e45dbf3eb150c05c SHA-256: aa68d0e25c6a2da2ec5913df870b74b086086172e25d5b32fe129401578926a4

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure related to a 'Silk browser video format not supported' error, which is a common tactic to trick users into clicking malicious links. The document exhibits characteristics of an advance-fee scam, with numerous links pointing to external PDF files hosted on various domains. These links likely lead to further stages of the attack, such as phishing pages or malware downloads.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://host25.carmichaelnl.com/uploads/1/3/0/5/130551006/130551006.html#silk+browser+video+format+not+supported
- http://psicolo.net/uploads/1/3/0/5/130588256/tuviwo_motewawaru_texanagewugaji_wasadaso.pdf
- http://jlcigars.com/uploads/1/3/0/7/130739480/bixeje.pdf
- http://endthedust.com/uploads/1/3/0/5/130540049/579dd5.pdf
- http://thehairshoppehinton.com/uploads/1/3/0/2/130289431/pibojen-nukubojonujo-butuzali-geroluvusumit.pdf
- http://www.tlpcookiedough.com/uploads/1/3/0/3/130323520/fe9d0ffa97.pdf
- http://etheniapolias.com/uploads/1/3/0/6/130604109/3522218.pdf
- http://www.fscreditservices.com/uploads/1/3/0/6/130640028/17068684a1cd3.pdf
- http://nashvillefoodandfun.com/uploads/1/3/0/5/130550770/920809.pdf
- http://1989raiders.com/uploads/1/3/0/6/130621965/611c729e.pdf
- http://mail.marthaattema.com/uploads/1/3/0/9/130969226/gudedekuxemazaf.pdf
- http://jij.net/uploads/1/3/0/6/130640052/0ad9aca62a.pdf
- http://nickclayton.sexy/uploads/1/3/0/4/130492038/5217397.pdf
- http://molecularsupplements.com/uploads/1/3/0/6/130620746/2f1f5558f.pdf
- http://driversboost.com/uploads/1/3/0/5/130551405/2127714.pdf
- http://davidbabaii.com/uploads/1/3/0/2/130271128/natebojiba.pdf
- http://bocaifengyun.br3h.com/uploads/1/3/0/7/130776677/temeluruj_sezoxelilet_vawifa_xegovonododi.pdf
- http://friendsofnjsoc.com/uploads/1/3/0/7/130739492/72335.pdf
- http://www.cams-collection.com/uploads/1/3/0/7/130739476/0bd460e80eef8.pdf
- http://dmscodes.com/uploads/1/3/0/7/130775198/b769ff1679ab69.pdf
- http://itsnotyouitsthebook.com/uploads/1/3/0/6/130621607/44c77c6d.pdf
- http://www.amandacollins.com.au/uploads/1/3/0/6/130640022/rorela.pdf
- http://spiritjourney.org/uploads/1/3/0/4/130435670/zorovuz-pojowuno.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00007083.bin` `306c2b20e42b9919352a2afe41421b077707d9878842b6f5521b7d803d70f579`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7083	7536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.