Malicious PDF — malware analysis report

Static analysis result for SHA-256 b5c043fa21b50d8e…

MALICIOUS

PDF

17.3 KB Created: 2020-03-31 04:00:45 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 90bf24e1fc7b52fe1d07af5dd8af73ad SHA-1: 0768fa453827c14e70fd80fcbf755285d0b771ee SHA-256: b5c043fa21b50d8e6e80acaef9744eaf52edc35b5b874c0bb7b5d51502ff64fb
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF file is an image-only lure designed to trick the user into clicking a link. The document body contains a "death anniversary of a mother quotes" theme, which is used to disguise the malicious intent. The embedded URLs point to external HTML and PDF files, likely serving as part of a phishing or redirection chain. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 17 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mhfashionusa.com/uploads/1/3/0/7/130738909/130738909.html#death+anniversary+of+a+mother+quotes
    • http://americancaulkingassociation.org/uploads/1/3/0/4/130475959/2270437.pdf
    • http://divineresumeservices.com/uploads/1/3/0/7/130776639/kunidi.pdf
    • http://treatyourselflikeyoumatter.com/uploads/1/3/0/4/130435791/kekujegetewuxomu.pdf
    • http://myflorentine.com/uploads/1/3/0/7/130776667/6976582.pdf
    • http://infernostraining.com/uploads/1/3/0/6/130639412/sezibebiwipisijoz.pdf
    • http://theawnmvt.com/uploads/1/3/1/0/131069997/7918987.pdf
    • http://fuerzaypoder.org/uploads/1/3/0/6/130639687/niripajitusoda_nalalef_jewokifuje.pdf
    • http://barnhartchiro.com/uploads/1/3/0/6/130620916/lonefadeka.pdf
    • http://yuvaorganic.com/uploads/1/3/0/5/130588428/bawoboxejulef_ridigikefebasib.pdf
    • http://amsterdamflag.com/uploads/1/3/0/6/130621193/biwudewanimesoxujagu.pdf
    • http://tracymacewan.com/uploads/1/3/0/7/130775746/kasiwiwefixadiwisid.pdf
    • http://consors.org.uk/uploads/1/3/0/3/130379094/2206181.pdf
    • http://market-blueprint.com/uploads/1/3/0/2/130289233/adfa17d4b9b9dc.pdf
    • http://mymorethan.com/uploads/1/3/0/6/130603824/wupebomogirow.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.