PDF malware analysis — malicious · dba3f07b97c50209

MALICIOUS

PDF

53.5 KB Created: 2020-04-14 20:33:27 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 3db061dff2cd97a0ec5ae43871ab8830 SHA-1: 6f2af397d3739d2532f3dc0d2634cffd8d326e5e SHA-256: dba3f07b97c502091921bc66a946ff846dc64148034e7cd31ab128728cf25613

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are numerically or generically named, suggesting a link farm designed to attract traffic or host malicious content. The heuristics indicate this is a classic advance-fee fraud or payment redirection lure, aiming to trick users into financial scams. The document body, though heavily obfuscated, contains references to 'American funds' and 'breakpoints', aligning with the scam lures.

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE

Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://r2medtechregulatoryclinicalqualityllc.com/uploads/1/3/0/2/130289185/130289185.html#american+funds+breakpoints+pdf
- http://drjonhaag.com/uploads/1/3/1/4/131406821/9049048.pdf
- http://sevenseasuniversity.com/uploads/1/3/1/4/131408567/6382913.pdf
- http://doulaemily.com/uploads/1/3/0/3/130323381/vovidamebu.pdf
- http://joy-dogs.com/uploads/1/3/0/5/130539035/619417.pdf
- http://happyhealthycyster.com/uploads/1/3/0/7/130739624/kafafim.pdf
- http://anatoly-nikolsky.com/uploads/1/3/0/8/130874349/7627410.pdf
- http://originalwoodfloorma.com/uploads/1/3/0/7/130775588/e5ba1de.pdf
- http://adultingisforkids.blog/uploads/1/3/1/0/131070805/kages-pukijoneb-benamonidiraxom.pdf
- http://senyalnizdegilsin.com/uploads/1/3/0/4/130491757/laladixiwadotojifovo.pdf
- http://blasrphotos.com/uploads/1/3/0/5/130589160/jikugijosarasuton.pdf
- http://cvillelogo.com/uploads/1/3/0/7/130775715/564e077a.pdf
- http://wineboy.shop/uploads/1/3/0/8/130813609/gewatinatux_fixusoku_nukeximomuv.pdf
- http://matthew-zimmer.com/uploads/1/3/1/4/131437864/8644f.pdf
- http://miusbeautyshop.net/uploads/1/3/0/5/130589354/dowidiv.pdf
- http://africastrategies.com/uploads/1/3/0/4/130476401/kuzewavitige.pdf
- http://anatoly-nikolsky
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009156.bin` `10a4e58cfbd25c6c123ab1cb8d35c67f195896588f8a5e7dbc442237cc8b7f8c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9156	8548 bytes
`font_01_sfnt_off0000b20b.bin` `3974891db8a4ec8ec2d7bd6096109588069a4504a1a2c6a6a63e29e83c6c02e0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB20B	16232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.