Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6aef59de6a8a405…

MALICIOUS

PDF

36.9 KB Created: 2020-04-26 03:20:22 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 80ccd15fd53142bf7b9530c4eab7ac0e SHA-1: e75cbb4b9f63473a3e8191daf012fafdd41d0358 SHA-256: c6aef59de6a8a4056aec70eecb7c02f7661e5da27ea448f4b250af732fe798a0
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF document contains a lure instructing the user to enable macros or editing, disguised as an 'Outlook email signature design template'. This heuristic, combined with the numerous external PDF links, suggests the document is designed to facilitate the download of a second-stage payload. The primary attack pattern involves social engineering to bypass security measures and deliver further malicious content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shed1st.com/uploads/1/3/0/2/130271255/130271255.html#outlook+email+signature+design+template
    • http://palmdesertplumbing.com/uploads/1/3/0/6/130603724/rosonud_wevexamamis.pdf
    • http://madeonwalton.com/uploads/1/3/0/7/130738801/8737099.pdf
    • http://lolas-hc.org/uploads/1/3/0/6/130639574/3403bd.pdf
    • http://kidspartymascotsuk.com/uploads/1/3/0/7/130739182/9714241.pdf
    • http://startingpoint.info/uploads/1/3/1/3/131384635/7303ce6.pdf
    • http://noevalleycontemporary.com/uploads/1/3/0/2/130291939/fujeguso-zewajovimem.pdf
    • http://travellight.online/uploads/1/3/0/2/130271226/1417706.pdf
    • http://suggaspyce.com/uploads/1/3/0/4/130476024/d4c861f1d896e.pdf
    • http://personalblogmadt.com/uploads/1/3/0/8/130814534/lakidijorukizup.pdf
    • http://dontuseatigisnurance.com/uploads/1/3/0/6/130621985/pomevub.pdf
    • http://womenrizeup.org/uploads/1/3/0/5/130550911/sefasupu.pdf
    • http://kidspart
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006906.bin
6a3139cfbb9babaed63e573213bae3a42f0ede5878059a348e09f60f5b39a61c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6906 7828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.