Malicious PDF — malware analysis report

Static analysis result for SHA-256 e490a03d0fbd33a1…

MALICIOUS

PDF

36.5 KB Created: 2020-04-12 15:44:26 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ae8c9fc653da7e888a4d0e97abb6158f SHA-1: e985409cee20cce0a91e4bd16f2bb4f1c6a44796 SHA-256: e490a03d0fbd33a101f85627f0ba23f4e5a939b39672385b65aa83395f1a3f06
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains a mass external link farm, with multiple URLs pointing to PDF files. Crucially, the document employs a clipboard command lure, instructing the user to copy and paste content into a shell, which is a common technique for executing malicious payloads. The embedded URL 'http://portlandraindance.com/uploads/1/3/0/8/130874517/130874517.html#ls+dyna+mpp+smp' is likely part of this execution chain.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://portlandraindance.com/uploads/1/3/0/8/130874517/130874517.html#ls+dyna+mpp+smp
    • http://reitsfleamkt.com/uploads/1/3/1/1/131163780/f0801dd885b.pdf
    • http://jeromestover.com/uploads/1/3/0/5/130544823/bb4cd2bb52.pdf
    • http://starterconnect.net/uploads/1/3/0/5/130590558/3308598.pdf
    • http://cbdmke.com/uploads/1/3/0/5/130545800/3155666.pdf
    • http://cachevalleyharp.com/uploads/1/3/0/8/130873875/3430519.pdf
    • http://hunterkolb.com/uploads/1/3/1/3/131383770/muwumikunoxux-xogadomufifani-wanuzorixasemuk-suwamagoje.pdf
    • http://bostoninnovationlearningcentre.com/uploads/1/3/1/4/131438459/koguseruwudobam.pdf
    • http://justmybooks.com/uploads/1/3/0/5/130588858/3b7cb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000670c.bin
8b690fd86789180d6fa5ff4fcf0f3aa2288f73925a358020ad169fb1451cf732		 pdf-font-stream PDF embedded font (sfnt) at offset 0x670C 7684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.