Malicious PDF — malware analysis report

Static analysis result for SHA-256 c38bcdc99c4aa7c5…

MALICIOUS

PDF

42.8 KB Created: 2020-03-16 03:46:11 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6d05b1d0b117656cf2f1b2c2e426096c SHA-1: 23350b1acef62064886ea1129e42c0a7df169931 SHA-256: c38bcdc99c4aa7c5424ec2ca0156d196755fc443c76176401c77297204907c6a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to PDF files hosted on various domains. The document body text, though heavily obfuscated, contains references to 'plagiarism checker' and 'project report', suggesting a lure to entice users to click on these links. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a link farm, likely for SEO manipulation or to distribute malicious content. The primary URL http://sta-66-99-58-203.ladse.org/uploads/1/3/0/7/130776822/130776822.html#plagiarism+checker+online+for+project+report is presented as a plagiarism checker, further supporting the lure. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sta-66-99-58-203.ladse.org/uploads/1/3/0/7/130776822/130776822.html#plagiarism+checker+online+for+project+report
    • http://allyourbabes.com/uploads/1/3/0/5/130544413/9918077.pdf
    • http://camptexas.com/uploads/1/3/0/3/130324005/1988524.pdf
    • http://softandshiny.com/uploads/1/3/0/3/130312972/3123973.pdf
    • http://rosskligerman.com/uploads/1/3/0/5/130551559/xidagim-werizinefakelon-jovuf.pdf
    • http://pandalanguage.org/uploads/1/3/0/6/130604544/3015755.pdf
    • http://nimzocapital.com/uploads/1/3/0/6/130620474/32e1268bc62425.pdf
    • http://socaltrailruns.com/uploads/1/3/0/6/130620305/1c09d17cbfe163.pdf
    • http://engineersinheels.org/uploads/1/3/0/3/130323298/wurolejasipolo.pdf
    • http://www.mountpleasantpark.com/uploads/1/3/0/3/130313702/ravasiw.pdf
    • http://racketclubstudio.com/uploads/1/3/0/9/130969842/supadi-tolokake.pdf
    • http://kernneuroscienceconsulting.com/uploads/1/3/0/5/130588286/190376.pdf
    • http://casatavares.pt/uploads/1/3/0/6/130639801/3f3566997ed2220.pdf
    • http://www.elleandbas.ca/uploads/1/3/0/5/130545882/c9a4bb71f770c.pdf
    • http://crisp-photography.com/uploads/1/3/0/2/130272606/faxir.pdf
    • http://cosmosit.net/uploads/1/3/0/6/130603690/fegumutogez_majovub.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d1a.bin
472d0b0fb3ac5dd24959770116beb69a4a41100b2000fb124ff3885e51e7b4c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D1A 8064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.