Malicious PDF — malware analysis report

Static analysis result for SHA-256 e642ed7f589ab692…

MALICIOUS

PDF

41.9 KB Created: 2020-03-27 04:14:20 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4fdb044afc0189b52985a6d5f20767d7 SHA-1: 32e676b9f3c9b2b40410b8eb6fe3ba8997010ae2 SHA-256: e642ed7f589ab6928cbf2581a19c658f1ba902d95038ab5ba2322125f04af5ac
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files, suggesting a link farm or SEO poisoning tactic. The document body, though heavily obfuscated, contains references to 'Adobe premiere pro cs6 tutorial pdf download', indicating a lure to disguise the malicious intent. The primary attack pattern involves directing users to a multitude of potentially malicious or misleading external resources.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://calloniris.com/uploads/1/3/0/4/130476039/130476039.html#adobe+premiere+pro+cs6+tutorial+pdf+download
    • http://bellosoftware.com/uploads/1/3/0/5/130551248/kofobopubo_nifevozi.pdf
    • http://paigeleandraphotography.com/uploads/1/3/0/7/130775751/doguvemud.pdf
    • http://ajc308.com/uploads/1/3/0/6/130639045/9305360.pdf
    • http://www.dragonsbreathmagictapping.co.uk/uploads/1/3/0/5/130542692/6593923.pdf
    • http://www.loyeeleads.com/uploads/1/3/0/4/130483302/fupijunepipodujo.pdf
    • http://alexandrethiery.com/uploads/1/3/0/4/130490151/somen_tunox_sakimu_nepiseraj.pdf
    • http://www.nomadscomedyclub.com/uploads/1/3/0/8/130874266/vezedixekupone_xakurajavigu_gimumewowukufa_jijugipefix.pdf
    • http://www.moderndaymira.com/uploads/1/3/0/8/130814411/jupotak_roropexaxolo.pdf
    • http://numb-skullz.com/uploads/1/3/0/8/130814448/nazipuwit.pdf
    • http://godeco.fr/uploads/1/3/0/3/130379634/197db99e04b.pdf
    • http://ark47.com/uploads/1/3/0/2/130292104/7907839.pdf
    • http://redfernbusinesslearning.com/uploads/1/3/0/8/130874358/tonej_dosedulalowed_worufugu_taropijixizodow.pdf
    • http://chefdirectservices.com/uploads/1/3/1/1/131163732/36d8c0e0a4e10.pdf
    • http://www.1ldesign.com/uploads/1/3/0/7/130776619/9245316.pdf
    • http://roseblhair.com/uploads/1/3/0/6/130605044/wevokubajixeveweb.pdf
    • http://zxueproe.brdge.org/uploads/1/3/0/7/130740001/fijokexuk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dde.bin
a32238a870bfb3babbd5acdcc3ccd879a9c90124c4a5caf53ad442d7c99223c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DDE 10392 bytes
font_01_sfnt_off00009055.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9055 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.