Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2e420492f65a6dd…

MALICIOUS

PDF

37.0 KB Created: 2020-03-16 01:52:22 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: e9ada909cd730898c4d7b496bd0541a1 SHA-1: 21f8c6656784ae062da0207b024134183b8e5acf SHA-256: d2e420492f65a6dd068ed1cd6cfe97662b8b4f28ad7fea6a3c9b0c184434271d
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body, though corrupted, suggests a lure related to an 'Android developer resume'. The presence of a 'Visible LOLBin command execution instruction' heuristic indicates that the document is designed to execute commands, likely to download and execute further payloads from the numerous embedded URLs. The primary intent appears to be to trick users into clicking links that lead to malicious content or further infection vectors.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://digitaldocmd.com/uploads/1/3/0/2/130288431/130288431.html#android+developer+resume+1+year+experience
    • http://therealmick.com/uploads/1/3/0/3/130323141/katovikogil-kolufabigiv-lavotixedada-tamebuz.pdf
    • http://www.susanlawton.susan-zises.com/uploads/1/3/0/6/130620573/xagebilawivipixel.pdf
    • http://spyclan.com/uploads/1/3/0/3/130323535/ebe0386d36ba247.pdf
    • http://my-healthjournal.com/uploads/1/3/0/5/130539660/bifakuledomu-xowikowuwunes-jazawib-weduzikupebak.pdf
    • http://feellikerealteeth.com/uploads/1/3/0/5/130543536/juzag.pdf
    • http://mysticalearthhealing.com/uploads/1/3/0/4/130478975/c330b8d16c4bf6.pdf
    • http://sharkhunterapparel.com/uploads/1/3/0/6/130605492/zupadekuserezumumolu.pdf
    • http://mentortreecare.com/uploads/1/3/0/3/130379408/9514622.pdf
    • http://lattaconsultants.com/uploads/1/3/0/7/130775518/zajusanuzire.pdf
    • http://smalltowncleaning.net/uploads/1/3/0/2/130270994/5d94da126a401.pdf
    • http://nowallsministry.net/uploads/1/3/0/5/130590463/3d89a19389.pdf
    • http://reviewweiver.com/uploads/1/3/0/6/130604724/3767611.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000673e.bin
2dd74507613bfa8353425e0168e8fd0399997b0cb2f13d562b710b050b49cd75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x673E 8260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.