Malicious PDF — malware analysis report

Static analysis result for SHA-256 b538fe6bf5aaa512…

MALICIOUS

PDF

48.3 KB Created: 2020-06-05 14:54:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 26f0ef2ef95faf1640be0ce363581ee8 SHA-1: ff92f0dc982809302d4036fa63969900d4ecaa27 SHA-256: b538fe6bf5aaa5124c8853bad6c94729ea3c57d9dfbc4565af5819962f41d9c1
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF contains a large number of external links, many of which are hosted on suspicious domains and appear to be part of a link farm. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links, and 'SE_CALLBACK_LURE' suggests a phishing or tech-support scam pretext. The document body, though heavily obfuscated, contains a URL that is also present in the heuristics, pointing to a potential phishing or malware delivery site.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://creativeedgegroup.ca/uploads/1/3/0/4/130478009/130478009.html#corelle+lifestyles+kyoto+Kare+16-PC
    • http://gooddayconsultant.com/uploads/1/3/0/6/130622093/69e51f.pdf
    • http://n70kr.salon225.com/uploads/1/3/0/5/130589318/zokebof.pdf
    • http://mta-sts.thecinnamonowl.com/uploads/1/3/0/6/130620899/mafunuwi_bemiraxugejume_fozepovik.pdf
    • http://margotvanhulst.com/uploads/1/3/0/9/130969300/donuwen.pdf
    • http://creativeedgegroup.ca/uploads/1/3/0/4/130478009/terms.html
    • http://creativeedgegroup.ca/uploads/1/3/0/4/130478009/dmca.html
    • http://creativeedgegroup.ca/uploads/1/3/0/4/130478009/policy.html
    • https://xulaxijaz.files.wordpress.com/2020/06/98827247062.pdf
    • https://xikuzum.files.wordpress.com/2020/06/64782818267.pdf
    • https://fewabomomafe.files.wordpress.com/2020/06/84906771047.pdf
    • https://xuxoxolu.files.wordpress.com/2020/06/89610798412.pdf
    • https://nopobulaz.files.wordpress.com/2020/06/nerenexa.pdf
    • https://gozulij.files.wordpress.com/2020/06/vakitazafanidepojizelewor.pdf
    • https://zenazibox.files.wordpress.com/2020/06/76401999525.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://gozulij.files.wordpress.com/2020/06/va

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008ea0.bin
45f5d6cf76833a2a330cc18c628f065ee18e494583ebe893445f4cf5478067b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EA0 11436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.