Malicious PDF — malware analysis report

Static analysis result for SHA-256 d01a1ce62edbc79c…

MALICIOUS

PDF

69.2 KB Created: 2020-06-06 22:16:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 76d3dcfa32467b0fab8445ded3958550 SHA-1: 698734ccdffc10a7f41d0f45a190d0e94b461e49 SHA-256: d01a1ce62edbc79cdf63e6c24963a11d667404ee19b292403328f2c784696c2f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The primary lure appears to be related to 'Roommate s2 E*1,E ep 8', directing users to a chain of linked PDF files hosted across multiple domains. The document body is heavily obfuscated, but the embedded URLs are clearly visible and form the core of the attack. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://royalejewelry.ca/uploads/1/3/0/8/130874066/130874066.html#roommate+s2+%25D9%2585%25D8%25AA%25D8%25B1%25D8%25AC%25D9%2585+ep+8
    • http://jhlt-achtus.org/uploads/1/3/0/5/130538959/30d5233ce.pdf
    • http://integra-is.com/uploads/1/3/0/5/130588597/kitelirebu.pdf
    • http://proactivphysicaltherapy.com/uploads/1/3/1/0/131070872/8996339.pdf
    • http://bluegillmarketing.net/uploads/1/3/1/3/131398015/ronepodotomuwuf-rejisagigumijuf.pdf
    • http://besthomeinspectioncompany.net/uploads/1/3/1/3/131383332/ceabf264b4f1.pdf
    • http://propetum.fi/uploads/1/3/1/3/131381452/2e9c97fe11dc.pdf
    • http://cpcalendars.iflogic.com.sg/uploads/1/3/1/3/131383510/mizeduwezuwesa.pdf
    • http://pamnelsonstudios.com/uploads/1/3/0/6/130620934/wifuluroxota.pdf
    • http://mail.poloprague.com/uploads/1/3/1/3/131398225/tibipologoxe.pdf
    • http://mta-sts.mail.foxchapeldistrictforum.com/uploads/1/3/2/3/132302735/vesezagamatapi.pdf
    • https://nerelunuxaxo.files.wordpress.com/2020/06/vaboxozozezolavagim.pdf
    • https://zagezaf.files.wordpress.com/2020/06/22633049804.pdf
    • https://kerivenulod.files.wordpress.com/2020/06/25766067775.pdf
    • https://tojumil.files.wordpress.com/2020/06/xomup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000ced4.bin
ab7d0e3198607e0af36fea600b6f75687932cbeae24d1791eb790ab053e82dc9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCED4 31964 bytes
font_00_sfnt_off0000abeb.bin
244c930bed6ac41778c702067bc5945543d20d3cdaa32af0fff450722b6822b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xABEB 10088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.