Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbacfad838c0d1ff…

MALICIOUS

PDF

63.4 KB Created: 2020-03-29 21:52:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 1f9f2c6b74f84a094eefff2dd1add8fd SHA-1: 5cc9390c803a460a5bcd42453a7367a9e282ceec SHA-256: dbacfad838c0d1ff5a14ddd57825482e8b623f391c291ee7fb6dd49f6159ca15
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, many pointing to other PDF files, suggesting a link farm or SEO abuse tactic. The document body, though heavily obfuscated, contains a URL that appears to be a lure for downloading a password-protected archive, a common method to bypass security filters. The presence of a password archive lure heuristic further supports this. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://neokundalini.org/uploads/1/3/0/9/130968976/130968976.html#comando+para+apagar+servidor+linux+red+hat
    • http://myangelabartlett.com/uploads/1/3/0/8/130814290/pimokudod-perebovabijizex-xinimefuwerikid.pdf
    • http://eurorumors.com/uploads/1/3/0/6/130620991/josak.pdf
    • http://mail.mandalaband.net/uploads/1/3/0/8/130813320/b252c.pdf
    • http://mta10.somekindofsimple.com/uploads/1/3/1/0/131071262/mofupisa.pdf
    • http://pennywiseautoadvisors.org/uploads/1/3/0/9/130969838/9509953.pdf
    • http://centre-climatechange-biodiversity-tl.org/uploads/1/3/0/4/130490786/a699e3.pdf
    • http://thepackbrotherhood.com/uploads/1/3/0/6/130604215/7081b.pdf
    • http://moxdemo5.com/uploads/1/3/0/7/130738555/jewigarut-rokaler-biruwiwin.pdf
    • http://dncproductions.org/uploads/1/3/0/5/130539654/9354600.pdf
    • http://arttherapycatemp.com/uploads/1/3/1/4/131406092/nitiketi.pdf
    • http://cuttingedgesebringfl.com/uploads/1/3/0/6/130605516/sumewadumenol.pdf
    • http://honesthomebuyer.com/uploads/1/3/0/7/130775053/nekuxofupabevi.pdf
    • http://myriadconsol.com/uploads/1/3/0/4/130489343/c5d84c070ebd3e.pdf
    • http://dreamdanceschool.net/uploads/1/3/0/5/130539933/xunomos-wizuwotefaf.pdf
    • http://klgovaffairs.com/uploads/1/3/0/6/130639074/kusijavitox-wolevim-jawevax-penasurol.pdf
    • http://neokundalini.org/uploads/1/3/0/5/130550836/5ceac85.pdf
    • http://hempcultivationexperts.com/uploads/1/3/0/3/130323603/258130.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bce3.bin
0ff4ee81cd694a2e35d3eff81075fc76eb2781aeb836065a012e1f4925281f31		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBCE3 11612 bytes
font_01_sfnt_off0000e636.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE636 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.