Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1dd783f70048cee…

MALICIOUS

PDF

29.2 KB Created: 2020-05-01 06:06:02 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4c35daf0cd72ff3fdda592754eaabb5c SHA-1: 138a27529969da0254e995a6e0e8206ca472dc94 SHA-256: d1dd783f70048cee172c71c25d1aa82ec9f574e31052e6d398845b94016c3519
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many of which are numerically or generically named PDFs hosted on various domains. The document body mentions 'Prank caller app for android', suggesting a social engineering lure to encourage users to click these links. The PDF_SEO_LINK_FARM heuristic indicates a deliberate attempt to create a link farm, likely for SEO manipulation or to distribute malicious content across multiple domains. No scripts were extracted, but the extensive link farm points to a delivery mechanism for further malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://frankensteinvictimization.com/uploads/1/3/1/4/131482851/131482851.html#prank+caller+app+for+android
    • http://aesriskmgt.com/uploads/1/3/1/4/131408153/fivuvosokijavojusase.pdf
    • http://chixwhovibe.com/uploads/1/3/0/4/130436006/vobas.pdf
    • http://theglamourglass.net/uploads/1/3/0/4/130436315/9262974.pdf
    • http://rgb-mods.com/uploads/1/3/0/4/130483546/088b13071c1.pdf
    • http://abckytejahutusventilatsioon.ee/uploads/1/3/0/5/130539042/feres.pdf
    • http://homebrewfoeders.com/uploads/1/3/0/6/130621219/2114152.pdf
    • http://alexmcmichael.com/uploads/1/3/1/4/131407155/bolepipiv.pdf
    • http://commercialpromotionalumbrellas.com/uploads/1/3/0/2/130287938/xigol.pdf
    • http://crownjulesofhair.com/uploads/1/3/1/6/131637177/nofulagoto.pdf
    • http://kevfeelzthevibe.live/uploads/1/3/0/6/130604522/karisutinis-sokasa-rumaverewoti.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006485.bin
1957428794578a072b8983e864e5701b52391162abfb2d6d14c6295fa8a16687		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6485 6444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.