Malicious PDF — malware analysis report

Static analysis result for SHA-256 c93e244f4c40e44a…

MALICIOUS

PDF

37.8 KB Created: 2020-06-03 20:52:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dc17801dda805b6f275a739a7f115fb1 SHA-1: 1c7cef7ff03621b3a9bfb874ca3e3abc92080030 SHA-256: c93e244f4c40e44ac2730b68fc901b52c1e800a229bec1caf7a487437a7ba080
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

This PDF file contains numerous external links, a common technique for SEO manipulation or distributing malicious content. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, with shaw89.com being a dominant host. The presence of a 'download button' lure further suggests an attempt to trick the user into interacting with the document. No scripts were extracted, limiting the analysis of direct payload delivery.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bloodblisterapparel.com/uploads/1/3/0/6/130639024/130639024.html#professional+python+programming
    • http://shaw89.com/uploads/1/3/1/0/131070459/xiguxigapikiza.pdf
    • http://preschool.aecaregina.com/uploads/1/3/1/3/131381703/kemafesom.pdf
    • http://trusted-realty.com/uploads/1/3/1/4/131452816/poviwa.pdf
    • http://markapple.com/uploads/1/3/1/8/131871710/3e8b10.pdf
    • http://store.anthonymichaelfitness.com/uploads/1/3/0/2/130291939/6610906.pdf
    • http://theultrabroker.com/uploads/1/3/1/4/131438523/8808631.pdf
    • http://cuentaspsn.com/uploads/1/3/0/3/130379164/gemila.pdf
    • http://bloodblisterapparel.com/uploads/1/3/0/6/130639024/terms.html
    • http://bloodblisterapparel.com/uploads/1/3/0/6/130639024/dmca.html
    • http://bloodblisterapparel.com/uploads/1/3/0/6/130639024/policy.html
    • http://bloodblistera
    • https://wemolugiwade.files.wordpress.com/2020/05/65858565381.pdf
    • https://tavijoga.files.wordpress.com/2020/05/fibimufi.pdf
    • https://bemurates.files.wordpress.com/2020/05/58368344079.pdf
    • https://lusemalovalo.files.wordpress.com/2020/06/viduzajedarovomipigit.pdf
    • https://tirumefe.files.wordpress.com/2020/05/1033030731.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000664d.bin
97f194f7e1c7b0eab13f02f32d1b7dcc4098e5c4facbdf4c27dfaa6b53a25e3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x664D 10948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.