Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7c984d62eb6b8a9…

MALICIOUS

PDF

35.1 KB Created: 2020-03-22 12:40:47 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 15e898b36376a6f53cd34be38e022448 SHA-1: fad4017e9690b640d91001a7445ae67adc4c5b58 SHA-256: e7c984d62eb6b8a94d22959982facace884069124f5206f01992ba4b468dadcb
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains a large number of external links, many of which are SEO-optimized PDF files hosted on various domains. One of the embedded URLs, 'http://stageforthesale.com/uploads/1/3/0/7/130776185/130776185.html#epson+tm-u220d+modelo+m188d+driver+download', suggests a lure for downloading a driver. The presence of a visual download button further supports this phishing or malware delivery attempt. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stageforthesale.com/uploads/1/3/0/7/130776185/130776185.html#epson+tm-u220d+modelo+m188d+driver+download
    • http://livairsoftxtreme.com/uploads/1/3/0/7/130739878/4474416.pdf
    • http://emberrosehtx.com/uploads/1/3/0/4/130435892/pibowumomezaju-boxizebijugar.pdf
    • http://francescoangeloni.com/uploads/1/3/0/4/130488743/6952627.pdf
    • http://thesymphonychurch.com/uploads/1/3/0/5/130588459/0f92b0.pdf
    • http://hostmaster.stokerhounds.co.uk/uploads/1/3/0/6/130639036/rinubema-bifogapalovilas-taxonejadaler.pdf
    • http://spiritquestshop.com/uploads/1/3/0/5/130541351/c8bf82.pdf
    • http://taylorkrauss.com/uploads/1/3/0/2/130270898/1988787.pdf
    • http://newspingear.net/uploads/1/3/0/4/130436121/mimidawexamedok_perejo_dadukitorom.pdf
    • http://paitmencomp.com/uploads/1/3/0/8/130813755/3412445.pdf
    • http://youthandpets.com/uploads/1/3/0/7/130776647/patewofewovutug.pdf
    • http://livcentral.com/uploads/1/3/0/2/130288883/a333d0865.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000620a.bin
f7bdb019f3978c2f452e85c1ad412112310b5de1b81f8188a47b32eb006a9858		 pdf-font-stream PDF embedded font (sfnt) at offset 0x620A 7560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.