Malicious PDF — malware analysis report

Static analysis result for SHA-256 e16da27d07d105ee…

MALICIOUS

PDF

65.6 KB Created: 2020-05-14 14:07:11 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 1a7e886342fa42a3e9f660656d7539f6 SHA-1: c7c385c3c835562db4f6cbf4779d14aea3d6560c SHA-256: e16da27d07d105eef9e01f6e734fb303b410492ef30d5321036ece0392509767
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains a 'Clipboard command execution lure' heuristic, instructing the user to copy and paste content into a shell. This, combined with multiple external PDF links, suggests a social engineering attack aimed at tricking the user into executing malicious commands or downloading further payloads. The document body contains a reference to 'run avd manager without android studio windows', which is likely part of the lure.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myautoappeal.com/uploads/1/3/0/7/130739982/130739982.html#run+avd+manager+without+android+studio+windows
    • http://libertyingod.org/uploads/1/3/0/6/130639228/e8f5102d.pdf
    • http://noestansolos.org/uploads/1/3/0/7/130740489/jawozenuwaxabut.pdf
    • http://dakotaprairiek12nd.org/uploads/1/3/0/7/130738623/f79385089e9e.pdf
    • http://yourscrivenerpress.com/uploads/1/3/0/4/130483062/8555905.pdf
    • http://aztimberflooring.com/uploads/1/3/0/6/130639126/xivavotoselaget_fitaj_sozuw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bd51.bin
e0acd74541055b7bc8a2e714d304b84d710537372c5b40c64eeec7869a2df60b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD51 11736 bytes
font_01_sfnt_off0000e515.bin
7ee38ba7b0a7ecfe71ef141f63cdf681c0ed7978b399606ba6da83ebec36b882		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE515 16420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.