PDF malware analysis — malicious · e50e607e24aa1a32

MALICIOUS

PDF

40.9 KB Created: 2020-04-10 01:15:21 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: d4de18914eb90059bf573eb960d27955 SHA-1: 29f621fdeb799473ff797fedbfddecd5c32401f9 SHA-256: e50e607e24aa1a32565c70528860c447f1091f8d67faa63839e42fff23a2b1ed

162 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are dynamically generated and point to PDF files, suggesting a link farm or SEO poisoning tactic. The document body text and one of the extracted URLs explicitly mention 'Pes 2008 download full version free', indicating a lure for users seeking software. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests that the document may be intended to trick users into providing a password for an encrypted archive, which is a common method for evading gateway security. The ClamAV detection further confirms its malicious nature.

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Dropper.Agent-9168181-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-9168181-0
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://jolvworld.com/uploads/1/3/1/6/131606295/131606295.html#pes+2008+download+full+version+free
- http://airstreamflying19cb.net/uploads/1/3/0/5/130590126/waxupogekemufenuviz.pdf
- http://risingseamedicinals.com/uploads/1/3/1/4/131453284/01c7612c8162.pdf
- http://royalpalmtitle.com/uploads/1/3/0/3/130379673/2785840.pdf
- http://engageprep.com/uploads/1/3/0/5/130551103/fububugi.pdf
- http://coshillustrates.com/uploads/1/3/1/0/131070705/nikimigiwo.pdf
- http://childsexualabuseinfo.com/uploads/1/3/1/3/131384281/9c3a5dad.pdf
- http://annkellettwritingandediting.com/uploads/1/3/0/3/130323642/xuromemegob-tonewapiz.pdf
- http://lgbelectricalcontracting.net/uploads/1/3/1/3/131381891/kifafosojoforatavu.pdf
- http://jmatrealtymedia.com/uploads/1/3/0/7/130739026/54a040800a2.pdf
- http://brighde.com/uploads/1/3/0/7/130740598/xetobepid.pdf
- http://disciplesbayou.com/uploads/1/3/1/4/131412491/kolefedu-tejel-relatikitodenav.pdf
- http://annuitycommerce.com/uploads/1/3/0/6/130604588/5122338.pdf
- http://seventhworld.club/uploads/1/3/0/8/130874039/febuwedogakuvo_tonaxogu_reguritukex_vodow.pdf
- http://worldcheaptour.com/uploads/1/3/0/6/130621532/0c5ba38a919.pdf
- http://patshatsbypatricia.com/uploads/1/3/0/3/130313541/gusidatopajenuj.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006d00.bin` `408c72f7f1a66038a22366faea00ff368b6f4f79ca9226edcb02a4a43fe48696`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D00	8524 bytes
`font_01_sfnt_off00008da9.bin` `83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8DA9	1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.