Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5a244c314608221…

MALICIOUS

PDF

37.2 KB Created: 2020-05-14 10:16:16 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 770cbe2facdb186a0bdde116c61636d9 SHA-1: c5204e5a1b7c4c58e27a8d31a68bc766499026d2 SHA-256: e5a244c314608221982c09f5ee6eb35687546d932b00a6655b92c75c4d7a1e7a
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to other PDF files hosted on various domains. This pattern is indicative of a link farm designed to improve search engine visibility for terms like 'Paintshop pro 2018 crack', as suggested by one of the embedded URLs. The presence of a 'download button' heuristic further supports the idea that the document is intended to trick users into clicking malicious links. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://perillianconsulting.com/uploads/1/3/1/0/131070500/131070500.html#paintshop+pro+2018++crack
    • http://fortitudecommercialcontracting.com/uploads/1/3/0/8/130814070/zusiw_xulawi_soxub.pdf
    • http://cgreeves.com/uploads/1/3/0/8/130814874/2a5884.pdf
    • http://twilightspas.net/uploads/1/3/0/5/130590391/jobimipadopigek-vomiraral.pdf
    • http://counterblaze.com/uploads/1/3/0/7/130775731/nufov.pdf
    • http://areteintlrealty.com/uploads/1/3/0/6/130639406/jobavarazorila.pdf
    • http://kelliekrischbaum.com/uploads/1/3/0/4/130488365/nezolaveker.pdf
    • http://give-justice.com/uploads/1/3/0/4/130476574/najaluxiv-xomamukutuma-buruwukige.pdf
    • http://flashtrailers.com/uploads/1/3/0/4/130494059/4729784.pdf
    • http://dkbhardware.com/uploads/1/3/1/3/131379541/e1a4f9.pdf
    • http://sophiaisabellablog.com/uploads/1/3/0/8/130874139/7104177.pdf
    • http://alyssafmccall.com/uploads/1/3/0/6/130621506/jiwimedojekiwojazi.pdf
    • http://mwmearthworks.com/uploads/1/3/1/3/131382721/boxukugoza-jagagafulojoni-mewopuxomimivi-vekawiropudil.pdf
    • http://dan3finneylaw.com/uploads/1/3/0/2/130288448/ad7e3e0eaa3.pdf
    • http://theblackswanboutique.com/uploads/1/3/0/8/130814784/siseki_jofana_ramugetefevize.pdf
    • http://hardingcountybook.com/uploads/1/3/1/0/131070330/3548362.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000649c.bin
33fa1f66a7eaf6380c2e39e64587aae5ee4ff63076d7e6b07a57d893d1305ee1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x649C 10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.