Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5bbc743e196911b…

MALICIOUS

PDF

38.9 KB Created: 2020-03-08 00:46:24 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4607d4aa559acf756cd66580e4ff522d SHA-1: f67961c065d8ca13478a083492dfd1e17b6e4831 SHA-256: e5bbc743e196911b844d30cc05e4d7710cafd7103d658fb0c1a0716122e327a6
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to other PDFs. The document body text, though heavily obfuscated, contains a URL that appears to be a lure for a 'job promotion letter'. This suggests a social engineering attack where the user is tricked into downloading further malicious content. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://klokkeraadgivning.com/uploads/1/3/0/4/130490301/130490301.html#job+promotion+letter+doc
    • http://www.twinhorsefarm.com/uploads/1/3/0/7/130776125/3d2dd5.pdf
    • http://equineshoponline.com/uploads/1/3/0/2/130272955/morisuj-faxato-wamegotale.pdf
    • http://thinqehr.net/uploads/1/3/0/2/130289749/ratojokakapupe.pdf
    • http://beatinghearthealth.com/uploads/1/3/0/6/130621938/vugolufulami_vobalinedutu_jemeterinojidu_didatufewosak.pdf
    • http://tntmusic62.com/uploads/1/3/0/3/130323641/e455a3f5cee94a.pdf
    • http://delightfulgraze.com/uploads/1/3/0/8/130813409/831860.pdf
    • http://globalclimatefacts.com/uploads/1/3/0/6/130639498/kenugub.pdf
    • http://rubyjoybook.com/uploads/1/3/0/4/130435574/2160455.pdf
    • http://www.nightcycle.studio/uploads/1/3/0/4/130477719/fasatejibaxigux.pdf
    • http://mobileteleprompter.net/uploads/1/3/0/3/130312986/7ab51df.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007012.bin
06920258910b8e2ea00fecbe397e742c8cdebf0440fb899d2a54346e0bbb002e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7012 8108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.