Malicious PDF — malware analysis report

Static analysis result for SHA-256 dc762c868214842c…

MALICIOUS

PDF

36.3 KB Created: 2020-05-15 08:44:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3f6fd27fc76301906743e49effed14d8 SHA-1: 6f32602791e8ce51759d216fd436838593387a58 SHA-256: dc762c868214842c7ef211a7627c0fee345484ee09e7b2f432301c5d74a34bcb
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to other PDFs hosted on similar domains. The document body and heuristics indicate a lure for a password-protected archive, likely to bypass security controls. The primary intent appears to be directing the user to download a malicious archive, which is then likely protected by a password hinted at in the document.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chewoncakes.com/uploads/1/3/0/7/130740589/130740589.html#remove+forgotten+password+from+excel+2010+worksheet
    • http://dusthunters.biz/uploads/1/3/0/7/130776511/8bcda.pdf
    • http://larucciinformation.com/uploads/1/3/0/3/130323491/kosobireme.pdf
    • http://gentleman-door.com/uploads/1/3/0/6/130620752/puvamap.pdf
    • http://acadianarefinishing.com/uploads/1/3/0/2/130270823/tababagox_gebukasusulixu.pdf
    • http://brandonericksonlaw.com/uploads/1/3/1/3/131380504/8b5e2a6d6d3.pdf
    • http://gandgpropety.com/uploads/1/3/0/6/130639032/fejamomipigutog.pdf
    • http://casecatalysttraining.com/uploads/1/3/1/4/131483005/wikawarofurepigul.pdf
    • http://martincphotography.com/uploads/1/3/0/8/130874265/046274613.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006154.bin
8033657dfcdfe6106cda02db8cdb7be2816ea0f48459d67d020a0f3b7813dad4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6154 10812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.