Malicious PDF — malware analysis report

Static analysis result for SHA-256 d48bca7cc4b6e9bb…

MALICIOUS

PDF

40.9 KB Created: 2020-05-30 08:47:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 954fc2d11fdf066f9b7e758836a998de SHA-1: 41fe88759658f4135aad9a002e8af3271b5ee00c SHA-256: d48bca7cc4b6e9bb1c99c11a01b7419ec4b724fc7e591d766f65cd9a6ce37315
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, with several pointing to suspicious domains. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external PDF links, suggesting a link farm or redirection tactic. The document body contains garbled text but also includes the URL 'http://74-123-73-74.mgwnet.com/uploads/1/3/0/6/130640070/130640070.html#toned+in+90+days', which is also listed as an extracted URL. No scripts were extracted, limiting the analysis of direct malicious actions.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-73-74.mgwnet.com/uploads/1/3/0/6/130640070/130640070.html#toned+in+90+days
    • http://tabbiescleaning.org/uploads/1/3/0/8/130873860/mevitegaze.pdf
    • http://protocelantioxidant.com/uploads/1/3/1/8/131856584/3317317.pdf
    • http://careneeds.org/uploads/1/3/0/6/130620626/liragimemabenun.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000073e7.bin
4020c2a992f898fc27a088018a81926e609e3d418e4272927a405ba56c34911f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73E7 10932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.