Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8f2cd510923d985…

MALICIOUS

PDF

44.7 KB Created: 2020-03-24 01:55:25 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 40a9d981950a50272bb2515af8fc2f77 SHA-1: f5fdf7906d916f3e4747ec334e4162197f4584ca SHA-256: b8f2cd510923d9855430819d8067a4a358166aeebb5197bac09eccd9f6a19ca9
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, many of which point to other PDF files hosted on various domains. This pattern is indicative of a link farm designed to manipulate search engine results or to host a large collection of potentially malicious files. The primary URL found in the document body, 'http://michaelhiggins.ie/uploads/1/3/0/5/130590481/130590481.html#powerflex+40+manual+pdf+download', suggests a lure related to technical documentation, which is a common tactic for phishing or malware distribution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://michaelhiggins.ie/uploads/1/3/0/5/130590481/130590481.html#powerflex+40+manual+pdf+download
    • http://mdesignbymarsha.com/uploads/1/3/0/5/130589274/tipokefowiv.pdf
    • http://mckconstructiongroup.com/uploads/1/3/0/7/130739165/1715032.pdf
    • http://stampsmnl.com/uploads/1/3/0/2/130272649/bonojokek.pdf
    • http://thebusinessofyounow.com/uploads/1/3/0/6/130621836/mipipuxoxelakon_dekareranisonu.pdf
    • http://www.microchipautoglass.com/uploads/1/3/0/3/130323453/dalonu_melizutif_tefaxu_verubawi.pdf
    • http://canaryfilms.org/uploads/1/3/0/6/130621273/nevetazujo-sabozipoxolap-polixuxapil-lazuxut.pdf
    • http://renewitllc.com/uploads/1/3/0/7/130738771/nerikup.pdf
    • http://poolesvillepickers.com/uploads/1/3/0/5/130589214/0f662cb62bed.pdf
    • http://marlenenmeyersonjcc.net/uploads/1/3/0/5/130539908/49f9a748be59.pdf
    • http://bradshawwishyoga.com/uploads/1/3/0/9/130969791/c5bb19e3bb4.pdf
    • http://www.exoticstitches.com/uploads/1/3/0/7/130774977/mutawopakeb.pdf
    • http://azibulldogges.com/uploads/1/3/0/5/130590467/panav.pdf
    • http://hitchly.com/uploads/1/3/0/7/130775278/vasukixewup_mepigupomimog.pdf
    • http://www.theprismwithin.com/uploads/1/3/0/5/130550742/47357a377bd7.pdf
    • http://itstartswithone.com/uploads/1/3/0/6/130605156/tifimulirab-lugigobave.pdf
    • http://www.nothing-is-certain.com/uploads/1/3/0/6/130621682/matiwowije.pdf
    • http://deonu.com/uploads/1/3/0/6/130604602/1824109.pdf
    • http://rinievandriel.com/uploads/1/3/0/6/130620528/rurigajomudafisiv.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007263.bin
b7492b0f06071b5d1c54cb0e319fe01e3d0f711901b499fd4155c94e702b95c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7263 7536 bytes
font_01_sfnt_off00008f8a.bin
cc1fea6d592cf252e238353dec1c1af814a7cda6070f8cf724de89da7b4082e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F8A 16420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.