Malicious PDF — malware analysis report

Static analysis result for SHA-256 c60c0107a9d716c9…

MALICIOUS

PDF

45.0 KB Created: 2020-04-06 04:50:54 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6b88dee2e8e79d60f764f5488f5df834 SHA-1: bbe926189a913018d69ff8cb2f30fcf81365abf4 SHA-256: c60c0107a9d716c9a7333e04e6972e05f98942a4fb575a5a70f493c3b1c29439
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many of which point to PDF files on various domains, suggesting a link farm or redirection mechanism. The document body, though heavily obfuscated, contains a URL that appears to be part of a lure for a vacation estate, and the presence of a 'Callback phishing phone lure' heuristic indicates a potential scam. The numerous external links are likely intended to redirect the user to malicious sites or phishing pages.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sportneuropsychologie.info/uploads/1/3/0/5/130544751/130544751.html#fern+forest+vacation+estates
    • http://beverlyhillsjewelry.org/uploads/1/3/0/7/130775666/9038467.pdf
    • http://aksvinfotech.com/uploads/1/3/0/2/130289233/5716811.pdf
    • http://damouretdesucre.com/uploads/1/3/0/6/130639689/6351632.pdf
    • http://makerplacelivework.com/uploads/1/3/0/3/130313132/467049.pdf
    • http://drewwrightpt.com/uploads/1/3/0/3/130323814/15354bb3c45.pdf
    • http://thetextureacademy.com/uploads/1/3/0/8/130813866/9657589.pdf
    • http://westcoastchems.net/uploads/1/3/0/9/130969182/nexutezori.pdf
    • http://claireandlou.com/uploads/1/3/0/7/130739431/a162d36861fbb.pdf
    • http://rkinternationals.com/uploads/1/3/0/2/130291536/zepazujepikupaxi.pdf
    • http://urgentcareandpediatric.com/uploads/1/3/0/2/130272582/4211551.pdf
    • http://appareluno1.org/uploads/1/3/0/8/130813524/3051115.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000814e.bin
157a7058c8b8e9bc0be6836e52204bb029ca199661ab71cf9f24a35475ded4e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x814E 9680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.