Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2f94897dc3b0d36…

MALICIOUS

PDF

42.6 KB Created: 2020-04-17 14:28:54 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 94311e674ad5143274cd6d65b0212733 SHA-1: 1d1771d2d3da1ef0a02c3fb4e00590236705c85f SHA-256: d2f94897dc3b0d36ed4f67c0bfb80d3cbfb215ba3f9d5f2e81e763926e739d6e
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, forming a link farm hosted on multiple domains. One heuristic indicates visible command execution instructions within the document, suggesting it may attempt to leverage system tools. The primary intent appears to be directing users to a network of linked PDF files, likely for SEO manipulation or to serve as a distribution point for further malicious activity.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mindforyou.org/uploads/1/3/1/6/131636907/131636907.html#fool+for+you+sheet+music+pdf
    • http://shopperevaluationsurvey.com/uploads/1/3/1/4/131405948/bijenexi.pdf
    • http://mitchellglover.com/uploads/1/3/1/3/131398008/2854226.pdf
    • http://fredericksburgghosts.com/uploads/1/3/1/0/131070983/75f621.pdf
    • http://selambalaj.com/uploads/1/3/0/5/130551271/9474623.pdf
    • http://stevenjdenton.com/uploads/1/3/0/6/130604694/5638520.pdf
    • http://allperth.net/uploads/1/3/0/4/130436209/949320.pdf
    • http://3003exposition.com/uploads/1/3/0/7/130739996/bonaxutaje_fepinagerego_letokafodos.pdf
    • http://oteccoachinglive.com/uploads/1/3/0/4/130483445/9b3cb1c3de782.pdf
    • http://memeunion.org/uploads/1/3/0/2/130291434/51d2ce7348c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bc6.bin
76caf2e88d03c00bca8b5060f6d9222d740c9a0943205fb3f856ec6de590af74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BC6 9540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.