Malicious PDF — malware analysis report

Static analysis result for SHA-256 e24cf2534144dbc0…

MALICIOUS

PDF

49.1 KB Created: 2020-04-27 02:53:31 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 62d176f47ea2f389f5482aaf17d6dffc SHA-1: ea2c642d5f71e9a2591784bd59d8dc9b92fc4818 SHA-256: e24cf2534144dbc0a610cf9aae114af07219ec181f3378da4cd2cd4d930159a2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to other PDF files with numeric slugs, indicating a link farm or SEO abuse tactic. One of the embedded URLs, http://silvergatomon.net/uploads/1/3/0/2/130274378/130274378.html#frozen+flower+game, suggests a lure related to a game. No scripts were extracted, and the document body is heavily obfuscated, limiting further analysis of the exact payload or intent beyond the link farming and lure. The primary attack pattern observed is the use of a PDF document to host a link farm, likely to direct users to malicious content or phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://silvergatomon.net/uploads/1/3/0/2/130274378/130274378.html#frozen+flower+game
    • http://tariref.com/uploads/1/3/1/4/131406455/030992f2a1.pdf
    • http://flowersofloveandpeace.org/uploads/1/3/1/4/131406069/vekepewiwujapufu.pdf
    • http://sociedadanalisisjuridico.org/uploads/1/3/0/6/130621084/buxob.pdf
    • http://genesisrunning.com/uploads/1/3/0/5/130588237/f6556205ff5f22.pdf
    • http://charlottelwood.com/uploads/1/3/1/8/131856023/06437d.pdf
    • http://culturebookschattanooga.com/uploads/1/3/0/9/130969209/ea2110a1705b371.pdf
    • http://jwleh.com/uploads/1/3/0/3/130379316/gutapixu.pdf
    • http://svetandmel.com/uploads/1/3/0/6/130640091/tuzuxiz-zotojemu.pdf
    • http://drelman.com/uploads/1/3/0/5/130540683/6f7a5c.pdf
    • http://sealedtightroofing.com/uploads/1/3/0/6/130621839/tinetizitenogov-ripusux-misiwere-liranag.pdf
    • http://loramaephoto.com/uploads/1/3/0/2/130287842/xugakuti-gojowuwigijito.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006735.bin
487d31c525aeee899633737c84c28153e1cf1724c38a005bb01c2f307195bd3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6735 8380 bytes
font_01_sfnt_off00008716.bin
2d6bd6032eb36d2a5141bbf354c5cc4aee3708917332664e7aa619b3a9ae568a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8716 2740 bytes
font_02_sfnt_off000090c7.bin
f52f3452b6bb22c9edac6104dbf51134afc0a461975a0f284b4c13f7bc973327		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90C7 3372 bytes
font_03_sfnt_off00009e65.bin
3404cfd2d972e468b8148cd46fa373f74eff9f01bc9707c26bfc866565d6361d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E65 17020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.