Malicious PDF — malware analysis report

Static analysis result for SHA-256 d535a1132d34408d…

MALICIOUS

PDF

32.8 KB Created: 2020-06-15 18:31:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dbe9963880f317defc035dfc7d3e2572 SHA-1: 8f4c660f44ea58caad181502700f9e4ee70ba3b0 SHA-256: d535a1132d34408d0994fc51e13ac18cf8e6dcbf8d1cc85c1dde6ab991e4237c
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm of 16 external PDF links, many of which are SEO-optimized and hosted on various domains. This technique is often used to distribute malicious payloads or redirect users to phishing sites. The presence of a 'download button' heuristic further supports the lure-based attack pattern. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amios.info/uploads/1/3/0/7/130740012/130740012.html#madeline+hunter+lesson+plan+template+pdf
    • http://hostmaster.themobilityfactory.eu/uploads/1/3/0/3/130323425/zaralow-nenil-xuzemaxenegub.pdf
    • http://eng.hnaconsult.com/uploads/1/3/1/3/131398291/repulakilupas.pdf
    • http://maujalan.id/uploads/1/3/1/3/131379945/2d823f9ff.pdf
    • http://vincelaliberte.com/uploads/1/3/0/8/130874667/b637f9ab0a72c7.pdf
    • http://ns1.smadojo.com/uploads/1/3/0/5/130588268/f67ba262062f2e9.pdf
    • http://webdisk.thehavenresorts.com/uploads/1/3/1/3/131384301/9311197.pdf
    • http://wellnessreclamation.com/uploads/1/3/1/8/131871614/vawabagaxamaje.pdf
    • http://davidlockwoodhomes.com/uploads/1/3/1/4/131438758/bba9623ec4d0b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000055e3.bin
ad7efbd0c01df161ac59f9f47a2e6f6040b0909dbe1110ee31a1f2cfe4608d7c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55E3 10044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.