Malicious PDF — malware analysis report

Static analysis result for SHA-256 cdd2d953bb9512e3…

MALICIOUS

PDF

40.9 KB Created: 2020-04-18 06:25:37 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6221b9a39b7e106823f292350c9c0b1c SHA-1: 5679b3bfdad1dd28cfd99df05091cbd5c5011f78 SHA-256: cdd2d953bb9512e328dedefa2d5dfc6e732474acc22196fccde9f23593f02e2d
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains heuristics indicating it is a fake invoice or payment lure, and it hosts a large number of external links. The document body, though heavily obfuscated, contains text related to 'Lawyer billable hours template' and references an external URL. The primary malicious URLs identified are epoxysurface.net and splashbombz.shop, which are likely used to host further malicious content or redirect the user.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://epoxysurface.net/uploads/1/3/0/2/130272898/130272898.html#lawyer+billable+hours+template
    • http://splashbombz.shop/uploads/1/3/1/3/131379249/dijogeleraku.pdf
    • http://caylahwestphotography.com/uploads/1/3/0/4/130436190/gojuwevuzedeli_gufenod.pdf
    • http://icegriptape.com/uploads/1/3/0/3/130323631/kurakikoloxim.pdf
    • http://hondumexframingllc.com/uploads/1/3/1/4/131409274/21b80f5.pdf
    • http://mysmilepaparazzi.com/uploads/1/3/0/4/130483783/bemenevokusojanero.pdf
    • http://hometownsweetsandtreats.com/uploads/1/3/0/4/130489776/3555868.pdf
    • http://webcard.online/uploads/1/3/0/2/130272233/jomorozoz.pdf
    • http://pipebore.com/uploads/1/3/0/6/130604054/pagexuratoganup.pdf
    • http://billygoatmonbassa.com/uploads/1/3/0/6/130605374/4519784.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000778b.bin
0ac8eb2b1f4534a9ac9e16cccbb9bf863ed1aff2a7dffaa6a92cfe74759d5483		 pdf-font-stream PDF embedded font (sfnt) at offset 0x778B 7868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.