Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6156ee962062fe1…

MALICIOUS

PDF

43.9 KB Created: 2020-04-09 08:51:16 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 821a770e2bcb5a72637473f22f9b0229 SHA-1: 825be3267cd5d599c04f70dfb6c53cd8babd0296 SHA-256: d6156ee962062fe169c64b8ad0d3ba60f5698712c15c707df3d439b1fc86ce1d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to other PDF files, suggesting a link farm for SEO manipulation or to host malicious content. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' indicates the document instructs the user to copy and paste content into a command-line interface, a common tactic to trick users into executing downloaded payloads. The embedded URLs are likely part of this distribution mechanism.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://imagesbysue-be-doo.com/uploads/1/3/0/9/130969166/130969166.html#jupyter+notebook+tutorial+fran%C3%A7ais+pdf
    • http://accrue2move.com/uploads/1/3/0/6/130621496/bilatinofuwoloku.pdf
    • http://newriversales.com/uploads/1/3/0/6/130604105/jekagekixuduk.pdf
    • http://smileswesleychapel.com/uploads/1/3/0/6/130639641/wurodo_pazenowodufat_xixiru.pdf
    • http://elitepipingcivil.org/uploads/1/3/0/4/130436339/4389513.pdf
    • http://jamesstockhorst.com/uploads/1/3/1/3/131382607/3828184.pdf
    • http://armedintrudersafetyschool.com/uploads/1/3/0/2/130271139/5870925.pdf
    • http://sareiannassweets.com/uploads/1/3/0/6/130639309/5717424.pdf
    • http://villagebaptistchurch.info/uploads/1/3/0/5/130550890/defojadifidipiw_xikazobebi_xalizutapazotux_kejejibaruma.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000081dc.bin
0c861f08a6695d9742fcd9c6c7521ac23ac611c6f0e7e53051243a3db882a39a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81DC 7884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.