Malicious PDF — malware analysis report

Static analysis result for SHA-256 aab0812acc27b785…

MALICIOUS

PDF

42.5 KB Created: 2020-03-22 12:45:17 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 52ea3798ee31de3d0a5d19d44fa7189d SHA-1: e20929e6a8adca7ab3bdceb4b83bce4500e5f3a0 SHA-256: aab0812acc27b785bdb21a2435e8c3375f82dd24b6d98095ed3ec6aba26ef94f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF document contains numerous external links, identified as a PDF URI and a PDF SEO link farm. The document body text, though partially corrupted, includes a suspicious title related to personal information and embedded URLs. The presence of a callback phishing lure heuristic suggests an attempt to engage the user in a deceptive conversation, likely leading to the exploitation of the embedded links for further malicious activity.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://havefitall.com/uploads/1/3/0/2/130272233/130272233.html#is+it+possible+to+get+your+social+security+number+changed
    • http://adriennesawesomecloset.com/uploads/1/3/0/5/130544390/3734076.pdf
    • http://thegeniusofhumility.com/uploads/1/3/0/2/130271157/7740933.pdf
    • http://seattle2025.org/uploads/1/3/0/3/130379218/rojobutabin-disuze.pdf
    • http://www.goihmanconsulting.com/uploads/1/3/0/5/130543032/49988a022467ee.pdf
    • http://triplejautomotive.net/uploads/1/3/0/5/130539072/dd615daf.pdf
    • http://thejackedhipster.com/uploads/1/3/0/6/130620451/rejakev_wuwuzisef_xazidewufid_zemuvizo.pdf
    • http://electrical-education-enterprises.com/uploads/1/3/0/5/130551325/6620133.pdf
    • http://webdisk.flirtsalonandspa.com/uploads/1/3/0/6/130621213/logewekos.pdf
    • http://beyoutifilychicbags.com/uploads/1/3/0/3/130323268/2563717.pdf
    • http://crystalcatdesigns.com/uploads/1/3/0/6/130604650/9550294.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ac2.bin
8bdd135f744c4efb0cfbb4e1a6f1817f0b191d314d931f13727b6f681ea5fdfa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AC2 7332 bytes
font_01_sfnt_off000087b5.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87B5 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.