Malicious PDF — malware analysis report

Static analysis result for SHA-256 caa202c8a043d067…

MALICIOUS

PDF

26.4 KB Created: 2020-03-31 04:00:45 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 62f4e63b415d717f90c3865432e659ae SHA-1: 886cbfb5bfc7314bed29d017d8274f1d95c89b48 SHA-256: caa202c8a043d067c4a8d23f9b95df66c393077a80790eda82bf5f3f4e995cf6
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file is an image-only document designed as a lure, containing a clickable link that leads to a series of other PDF files. The primary URL, http://mhfashionusa.com/uploads/1/3/0/7/130738909/130738909.html#death+anniversary+of+a+mother+quotes, is likely part of a phishing campaign or a download chain. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, suggesting a broad distribution or attempt to game search engines.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 26 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mhfashionusa.com/uploads/1/3/0/7/130738909/130738909.html#death+anniversary+of+a+mother+quotes
    • http://americancaulkingassociation.org/uploads/1/3/0/4/130475959/2270437.pdf
    • http://divineresumeservices.com/uploads/1/3/0/7/130776639/kunidi.pdf
    • http://treatyourselflikeyoumatter.com/uploads/1/3/0/4/130435791/kekujegetewuxomu.pdf
    • http://myflorentine.com/uploads/1/3/0/7/130776667/6976582.pdf
    • http://infernostraining.com/uploads/1/3/0/6/130639412/sezibebiwipisijoz.pdf
    • http://theawnmvt.com/uploads/1/3/1/0/131069997/7918987.pdf
    • http://fuerzaypoder.org/uploads/1/3/0/6/130639687/niripajitusoda_nalalef_jewokifuje.pdf
    • http://barnhartchiro.com/uploads/1/3/0/6/130620916/lonefadeka.pdf
    • http://yuvaorganic.com/uploads/1/3/0/5/130588428/bawoboxejulef_ridigikefebasib.pdf
    • http://amsterdamflag.com/uploads/1/3/0/6/130621193/biwudewanimesoxujagu.pdf
    • http://tracymacewan.com/uploads/1/3/0/7/130775746/kasiwiwefixadiwisid.pdf
    • http://consors.org.uk/uploads/1/3/0/3/130379094/2206181.pdf
    • http://market-blueprint.com/uploads/1/3/0/2/130289233/adfa17d4b9b9dc.pdf
    • http://mymorethan.com/uploads/1/3/0/6/130603824/wupebomogirow.pdf
    • http://tamarakerrenterprises.com/uploads/1/3/0/6/130604372/bf99a6dd4c.pdf
    • http://aroundtheclockstaffopportunities.com/uploads/1/3/0/5/130589202/afebbdaabf1d.pdf
    • http://aldeacero.com/uploads/1/3/0/6/130640141/liwenugegowago-wezuxebup.pdf
    • http://elevatedmorsel.com/uploads/1/3/0/6/130639166/gebosajas.pdf
    • http://keycores.com/uploads/1/3/0/5/130539437/82aaa2b9f9396c6.pdf
    • http://medisportmedicalmassage.com/uploads/1/3/1/3/131379696/913c0.pdf
    • http://123lawhelp.com/uploads/1/3/0/8/130874289/dewesamuxawozufavapo.pdf
    • http://integralperformer.net/uploads/1/3/0/5/130550748/84fe4b.pdf
    • http://mindsetiseverythingllc.com/uploads/1/3/0/5/130590051/7406828.pdf
    • http://bridgeadvantagevision.com/uploads/1/3/1/1/131163983/jamaseberigesitamitu.pdf
    • http://hautewaif.com/uploads/1/3/1/3/131379946/d768b54715.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.