Malicious PDF — malware analysis report

Static analysis result for SHA-256 aed3d7631898b3e6…

MALICIOUS

PDF

44.0 KB Created: 2020-04-19 20:21:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4533e38f2c5aef03271f77e62214a37e SHA-1: 8b4d86b927d1e06d88c5b7cf79c6203444b222f6 SHA-256: aed3d7631898b3e69af6e3f81927a0fa22b04af18745f90e013603b42a9ac38c
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1204 User Execution

The PDF contains a 'SE_CLIPBOARD_COMMAND_LURE' heuristic, indicating it instructs the user to copy and paste content into a shell. This is a common technique for social engineering attacks to trick users into executing malicious commands. The document also contains numerous external links, many of which point to PDFs hosted on similar domains, suggesting a link farm or redirection mechanism. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theartoferika.net/uploads/1/3/0/3/130379319/130379319.html#adb+root+android+7
    • http://meat-barn.com/uploads/1/3/0/7/130740078/surosaxa.pdf
    • http://centreiceinvestments.com/uploads/1/3/0/7/130738622/298f7564.pdf
    • http://abbypotts.net/uploads/1/3/0/4/130435839/a7da47146.pdf
    • http://kandeladesigns.com/uploads/1/3/0/5/130539714/viguzizasus-zewodibexigu-fuzuted-robosefajapaf.pdf
    • http://ashleymarierobillard.com/uploads/1/3/0/2/130289233/lulunumawijogu.pdf
    • http://pwcss.net/uploads/1/3/0/4/130435524/e58902ff.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000823a.bin
7c6a0907ebf75160dadcaafb60deac0e2e22f57246f6dfbb9ed3e7a2672a9204		 pdf-font-stream PDF embedded font (sfnt) at offset 0x823A 8956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.