Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9dfa162396903d6…

MALICIOUS

PDF

39.7 KB Created: 2020-04-10 01:28:15 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: f344e219a49a2680af40eb07b00aa6e5 SHA-1: 9fcbb9313c5bbb30e8b6a6419bf648d229afc177 SHA-256: b9dfa162396903d6cf37fb28d1986cfa15d5c4484864f2ceca731316f7a7f985
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which are hosted on newly registered domains and point to files with numeric or obfuscated names. This pattern is indicative of a link farm or a distribution point for malicious content, likely attempting to trick users into downloading malware by posing as a resource for 'learning web design'. No scripts were extracted, but the extensive use of external URLs suggests a download or redirection mechanism.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ee.education/uploads/1/3/0/6/130620890/130620890.html#learning+web+design+5th+edition+pdf+download
    • http://radiodynamo.fi/uploads/1/3/0/9/130969198/dunuxig_narususejetalez_saxobogoxaf_jisutu.pdf
    • http://beelbangerapost.com/uploads/1/3/0/7/130739060/xovuneduf_pobubutuno_renaditosef_fesadojebin.pdf
    • http://carolynbkennedy.com/uploads/1/3/0/6/130639254/wapuxoj.pdf
    • http://globaleximportusa.com/uploads/1/3/0/2/130289475/konewudulozuze.pdf
    • http://agpabooks.com/uploads/1/3/1/0/131070858/jurifeva.pdf
    • http://shirleyxli.com/uploads/1/3/0/5/130547486/rilumivezu_kemababina_zedof_sodul.pdf
    • http://rock-n-wear.com/uploads/1/3/1/3/131378993/3308431.pdf
    • http://mystickamis.com/uploads/1/3/0/4/130476086/6722754.pdf
    • http://chelseacarol.com/uploads/1/3/0/6/130639493/relipewutes_fofinozowaneb_rozokikoli_gefomobeju.pdf
    • http://youaremydj.com/uploads/1/3/0/6/130620919/dawad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000713c.bin
8da8aa624787b43c7dd931ab29a0cb44e39b0af6f6a06525ec02c9773c8db89e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x713C 8556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.