Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5af25e69525e1cc…

MALICIOUS

PDF

49.7 KB Created: 2020-04-25 19:51:22 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 75d47d9c684e2b974331dc59be5c36b9 SHA-1: b7e2297a89f5cf33c278bcafd32ea39af8e27f4e SHA-256: c5af25e69525e1cc2831689fe4638e5e290ffb09e3c2aa8110d3eb96b05b94a5
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF document contains a large number of external links, indicative of a link farm, and specifically lures the user to install a browser update or extension. This suggests a social engineering attack aimed at tricking the user into downloading malicious content. The presence of a password archive lure further supports this, as it's a common method to bypass gateway security for malicious payloads.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://solopaso.com/uploads/1/3/0/6/130639609/130639609.html#android+os+battery+drain+nougat
    • http://allisonmilmoe.com/uploads/1/3/0/7/130775354/4318946.pdf
    • http://balbiscompetitionsuits.com/uploads/1/3/0/3/130323208/negaledovu.pdf
    • http://maaloufindustries.com/uploads/1/3/0/5/130590413/292cd.pdf
    • http://comfortprofessionalsheatingairconditioning.com/uploads/1/3/0/8/130874648/wuxetovewowavevikes.pdf
    • http://thesustainables.biz/uploads/1/3/1/3/131384044/losimu.pdf
    • http://iridescent.vip/uploads/1/3/0/6/130640091/wuxojukafufawap_xezigi_tamizaduzal.pdf
    • http://narwana.net/uploads/1/3/0/5/130551095/468311.pdf
    • http://kelleycarney.com/uploads/1/3/0/7/130775972/werew_noxogizudi_motevibeju.pdf
    • http://commasdesign.com/uploads/1/3/0/7/130776719/4450157.pdf
    • http://elliotchangmusic.com/uploads/1/3/0/6/130639363/8511654.pdf
    • http://mobileautorepairbend.com/uploads/1/3/0/6/130639333/1766b1cfba901.pdf
    • http://meetthewirths.com/uploads/1/3/0/7/130776001/8ee31d.pdf
    • http://trendydressesboutique.com/uploads/1/3/1/4/131454603/3603841.pdf
    • http://careerseeker.services/uploads/1/3/0/3/130323571/89598f307.pdf
    • http://crm-specialists.com/uploads/1/3/1/3/131379544/3745752.pdf
    • http://trendydre
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000976c.bin
45f74798038b992d1f0cc13178b422053ed872ea7c2a554f9a93f3e780e335a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x976C 8868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.