Malicious PDF — malware analysis report

Static analysis result for SHA-256 da124c31fc936f03…

MALICIOUS

PDF

32.4 KB Created: 2020-04-21 17:05:26 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4ad2da8d940754bf39803d39f712d919 SHA-1: 445cb9bc384da2f233cdb8006a35d8879d13ca3f SHA-256: da124c31fc936f03df34b96bef11943b990d0ec67ed606386f6ef2a4a83b8191
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many of which point to other PDF files hosted on various domains. This behavior is indicative of a link farm or a mechanism to distribute malicious content. The document body suggests a lure related to 'Labour attendance sheet in excel format', which is likely a pretext to encourage downloads. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery or execution methods.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://veteransclc.org/uploads/1/3/0/2/130289735/130289735.html#labour+attendance+sheet+in+excel+format
    • http://candlecrazy.org/uploads/1/3/1/0/131070631/labazo.pdf
    • http://gardensforeducation.com/uploads/1/3/0/7/130738716/af1ef2.pdf
    • http://missiondestiny.net/uploads/1/3/0/3/130313087/mawugamuzolofa-vifefek-nuzutizelibubi-boxubowaja.pdf
    • http://apaini.com/uploads/1/3/0/2/130272482/5059086.pdf
    • http://andmonllc.com/uploads/1/3/0/2/130271103/6394430.pdf
    • http://belzbergdevelopment.com/uploads/1/3/0/8/130814293/vuvojop.pdf
    • http://mountainmindfulnessandwellness.com/uploads/1/3/0/5/130588803/621014.pdf
    • http://callaneventplanner.com/uploads/1/3/0/2/130272240/wobuvewafoge.pdf
    • http://josemariimao.com/uploads/1/3/0/7/130776350/6334533.pdf
    • http://reebshomeinspections.com/uploads/1/3/0/8/130874087/2438329.pdf
    • http://judysquiltypleasures.com/uploads/1/3/0/7/130739893/60504150.pdf
    • http://freemondon.com/uploads/1/3/0/5/130550697/xujizerezegoxudan.pdf
    • http://msr2mng.com/uploads/1/3/0/5/130589002/xajewerotipizaja.pdf
    • http://neonbubba.com/uploads/1/3/0/6/130604633/winuwonevoji.pdf
    • http://cadamsconsultinginc.com/uploads/1/3/0/3/130313495/3536436.pdf
    • http://missiondestiny.net/uploads/1/3/0/3/130313087/mawugamuzolofa-vifefek-nuzutizelibubi-boxubowaja

Open this report in the interactive analyzer, or submit your own file for analysis.