Malicious PDF — malware analysis report

Static analysis result for SHA-256 c47f6fcd04a15231…

MALICIOUS

PDF

35.8 KB Created: 2020-04-11 10:28:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 2aa3218914eba7ef69a466ba5149fc01 SHA-1: 0a8d7595959aca4422ba7fdd03ec49edd199e781 SHA-256: c47f6fcd04a1523163fd3c695a6e4ebd82ebc8882bd511a8a63be6bbfe6f813b
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains numerous external links, many of which point to PDF files hosted on domains that appear to be part of a link farm. The document body mentions "Autodata crack francais," suggesting a lure to download cracked software. The presence of a "Security software disable instruction" heuristic firing indicates an attempt to bypass security measures. The primary intent appears to be directing users to download further malicious content from the listed URLs.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-77-77.mgwnet.com/uploads/1/3/0/7/130739039/130739039.html#autodata+crack+francais
    • http://finalexpensespaid.com/uploads/1/3/1/4/131438137/e4f35f2361b049.pdf
    • http://enchantmentaesthetics.com/uploads/1/3/0/6/130604509/7931202.pdf
    • http://vivalasvegas2017.com/uploads/1/3/0/8/130814909/4200918.pdf
    • http://kimvandoren.com/uploads/1/3/0/9/130970014/2782223.pdf
    • http://itsasisterthing.org/uploads/1/3/0/6/130603785/bokugopadozudar_rinew.pdf
    • http://rosvoy.com/uploads/1/3/0/2/130271094/966c737b918df5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006350.bin
84dcff50cc974e91fd92d3af7b932a0343cf44e7828009e112c0a8332487ca76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6350 8740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.