Malicious PDF — malware analysis report

Static analysis result for SHA-256 ceb654d639d4d8c8…

MALICIOUS

PDF

126.3 KB Created: 2020-04-14 23:21:11 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4fee08642a7e1e6f2d6f96e42ebd4cc1 SHA-1: dc8e932f5e1195769ca72c2a69eeebbe1d0f8801 SHA-256: ceb654d639d4d8c8616ea751c32a46b75dda701d6c74f6e0592a2a8c2a302f01
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1059.003 Windows Command Shell T1059.001 PowerShell

This PDF document contains a large number of external links, many of which point to other PDF files, suggesting a link farm or SEO poisoning tactic. The document also explicitly instructs the user to copy and paste commands into a terminal, a common social engineering lure associated with ClickFix attacks. No scripts were extracted, but the presence of multiple malicious URLs and the direct user interaction lure are strong indicators of malicious intent.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://distancelearningtoday.net/uploads/1/3/0/8/130814728/130814728.html#mathematica+11.+1+linux
    • http://cashoffer2day.com/uploads/1/3/0/4/130435857/4915267.pdf
    • http://resortvacationsforless.com/uploads/1/3/0/4/130435895/5071099.pdf
    • http://indyductrebateclaims.com/uploads/1/3/0/7/130740165/wukugikubopasis-biroropafixosad.pdf
    • http://aliamiri-lifehacks.com/uploads/1/3/0/6/130621089/7290988.pdf
    • http://creativecapacities.net/uploads/1/3/0/7/130740562/lakolo.pdf
    • http://pulsewavedeals.com/uploads/1/3/0/6/130604585/9880ad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000a7c9.bin
106552510bf6b010c123bfde5a97f0f7100074681be099154aabca0b3c29eb6c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA7C9 99080 bytes
font_00_sfnt_off000085c4.bin
5941182bb11c3b0c80b5c943bc978d60be2a34bffdf1af000d29a72ba83dce1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85C4 8940 bytes
font_02_sfnt_off0001ce8d.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CE8D 2600 bytes
font_03_sfnt_off0001d7b9.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D7B9 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.