Malicious PDF — malware analysis report

Static analysis result for SHA-256 b962bc22bb96e104…

MALICIOUS

PDF

52.5 KB Created: 2020-04-19 14:36:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 221224eee89c037f22306e544383b610 SHA-1: 0e2f9d0a9fd216797d178dc2952ec8e5ea35d87a SHA-256: b962bc22bb96e1045c531ebaf8d0b37ebc4ab355a3efe42d434613106c202c20
104 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a large number of external links to other PDF files hosted on various domains, indicating a link farm or SEO abuse tactic. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests that the document may contain instructions for executing commands, potentially leveraging tools like PowerShell or mshta to redirect users to these malicious links. The primary intent appears to be driving traffic to a network of potentially malicious or phishing-related websites.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rochadesigns.com/uploads/1/3/0/8/130814933/130814933.html#ceo+up+pdf
    • http://ishycreo.com/uploads/1/3/0/8/130813592/vakararogirobod.pdf
    • http://1695river.com/uploads/1/3/0/7/130740391/bemadizedifebutoged.pdf
    • http://lavishluxeyewear.com/uploads/1/3/0/6/130604708/kilubepuxukepugomu.pdf
    • http://nhwcmd.com/uploads/1/3/0/5/130543840/fivigew.pdf
    • http://hellohillsdale.com/uploads/1/3/0/7/130740210/xanazutuwujako-worexiwep-tobesoxariw-junizolago.pdf
    • http://liquidbluesrq.com/uploads/1/3/0/8/130813557/guzoliko.pdf
    • http://working4vets.org/uploads/1/3/0/8/130813755/sinakufujalurukemeni.pdf
    • http://airintelhvacinc.com/uploads/1/3/1/4/131407492/2548526.pdf
    • http://jaciswritings.com/uploads/1/3/1/4/131453170/83b0da5e02ae3d5.pdf
    • http://gogetitconference.com/uploads/1/3/0/2/130271098/karawafuwisiwetomit.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a6ea.bin
7163a1810a4791926af50fb483a9f4368faee39ef8419f7108c07d76396265ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6EA 8208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.