Malicious PDF — malware analysis report

Static analysis result for SHA-256 e167584133c5547b…

MALICIOUS

PDF

38.5 KB Created: 2020-04-07 07:10:38 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 1a4f44305f3af9eee28efcf129d75076 SHA-1: f4d8ee61e592280e129bc11f76c265dee130103c SHA-256: e167584133c5547bc1231a5ef9befb66834fd59bceccaac1e07f2b5aa19674b7
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a large number of external links, many pointing to other PDF files, indicating a link farm or SEO spam tactic. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests that the document may contain instructions for executing commands, potentially via tools like PowerShell or mshta, to facilitate the redirection to these external sites. The primary goal appears to be driving traffic to a network of websites, likely for malicious purposes such as phishing or malware distribution.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tarasnaumenko.com/uploads/1/3/0/8/130813516/130813516.html#palabras+con+gue+gui+para+segundo+de+primaria
    • http://gerryread.com/uploads/1/3/0/3/130323937/4213881.pdf
    • http://oakhillcontractorsllc.net/uploads/1/3/0/9/130968960/f8460be0a.pdf
    • http://enem2022.com/uploads/1/3/1/1/131163684/426a093ca874dc4.pdf
    • http://russellpatton.com/uploads/1/3/0/7/130739182/xinojekoxemavi_fafudulo_buruponux.pdf
    • http://laplazita.org/uploads/1/3/0/6/130604256/toxosub-bimosawuzulafi-jusagovamukelet.pdf
    • http://mbroofing-llc.com/uploads/1/3/0/2/130289341/wokufeviwawebivon.pdf
    • http://blisspractice.org/uploads/1/3/0/5/130588287/puduvovidenapuwute.pdf
    • http://musepop.us/uploads/1/3/0/7/130776575/buxepos.pdf
    • http://derlungenarzt.com/uploads/1/3/0/6/130605237/e717c1fa.pdf
    • http://smalltowncleaning.net/uploads/1/3/1/4/131437733/wudes-verefarozaxono.pdf
    • http://kyles-kitchen.com/uploads/1/3/0/5/130551433/8161297.pdf
    • http://spccmd.com/uploads/1/3/0/8/130813108/boxulipaditozo.pdf
    • http://prestigeclothing.shop/uploads/1/3/1/3/131379776/6618502.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006943.bin
db3408d78312e77e9f1caecc0dd2ef23df0563369cd22bbe7f46490e4176dfa9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6943 9544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.