Malicious PDF — malware analysis report

Static analysis result for SHA-256 e68fcc25e9657cba…

MALICIOUS

PDF

32.8 KB Created: 2020-04-13 21:21:03 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 21c6471a0ef01f7624d09d6d30f251db SHA-1: 7daba407040f41159a2a2d5850582150048baf41 SHA-256: e68fcc25e9657cba9f0b640b52b7ecc6bc11cba8ca689bd1e43084fbe321e86a
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous external links, many of which point to other PDF files hosted on various domains. The document body, though partially corrupted, suggests a lure related to 'calculus notes grade 12 pdf'. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external links, likely intended to manipulate search engine results or distribute malicious content. The presence of a 'download button' heuristic further supports the idea of a deceptive download lure.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://2brosconstruction.com/uploads/1/3/0/6/130621194/130621194.html#calculus+notes+grade+12+pdf
    • http://bourneadventure.com/uploads/1/3/0/5/130590561/6028723.pdf
    • http://bolobgame.com/uploads/1/3/1/1/131163492/gafidisiwoje-jogexuzuneta.pdf
    • http://centroeducativolejardin.com/uploads/1/3/0/2/130270879/bcc166.pdf
    • http://theprogramminglanguagepodcast.com/uploads/1/3/1/3/131398108/dibozotamaluz.pdf
    • http://foretokenmetal.com/uploads/1/3/1/0/131070912/fewedovetixetemi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000582f.bin
3c784d7301bb8d2d1fd6d6db64d46536928010f1f3ef9e085cecc0cf08917a70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x582F 8216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.