Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc00382f9581c92f…

MALICIOUS

PDF

132.2 KB Created: 2020-03-23 07:45:17 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 19e68fe899d4a94088f614a91a4822f5 SHA-1: 8b74cad3947a0aaedd8b5f44bf0154a0d25e07d1 SHA-256: cc00382f9581c92f503af1c2d1938e743c18a452f38a0fddb96b58a1acdb7a72
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many pointing to similarly structured URLs on different domains, indicative of a link farm. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document's content is designed to trick users into a financial scam. The embedded URLs likely serve as redirection points for the scam.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://badandboujiebodyproducts.com/uploads/1/3/0/6/130621805/130621805.html#fahrenheit+451+movie+1966+common+sense+media
    • http://pepperpotdaycentre.co.uk/uploads/1/3/0/8/130874667/zoketufaxowus_suluf_robegaxuvopogi_rukudew.pdf
    • http://aldridgeteach.com/uploads/1/3/1/0/131070829/sisupimuvulewag.pdf
    • http://worldofinfo.ru/uploads/1/3/0/5/130543156/30b1d4d61d9bb0.pdf
    • http://agenttemplate.com/uploads/1/3/0/7/130738553/7c0b71899be771.pdf
    • http://www.ashleycastrosalonstudio.com/uploads/1/3/0/6/130603802/gapumo_kifinawiji_xapujofo.pdf
    • http://hotelsexbook.com/uploads/1/3/0/3/130323411/sepeju-fudarununawej-radujeja-kupaja.pdf
    • http://cpanel.camppepper.com/uploads/1/3/0/5/130539881/fijezoxi.pdf
    • http://housing-kaboom.com/uploads/1/3/0/6/130620249/bidizufutegemiwobe.pdf
    • http://designtoohtml.com/uploads/1/3/0/3/130313436/guxabeb_jazuzar_kitoj.pdf
    • http://damaycare.com/uploads/1/3/0/9/130969654/d79b4946ecf20.pdf
    • http://egametrivia.com/uploads/1/3/0/7/130740173/c4ba5bcdd980e.pdf
    • http://stratekia.net/uploads/1/3/0/5/130551670/domalefilazido.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001dbb9.bin
e403cb1660de1973c051af68e794296f021c92931a833b9701f625dfd7f71656		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DBB9 10396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.