Malicious PDF — malware analysis report

Static analysis result for SHA-256 e847876f91cb6ca2…

MALICIOUS

PDF

46.3 KB Created: 2020-03-10 10:38:34 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7612524720878633cd75b8b6ac14e507 SHA-1: 12fb12ee5b6898ef074de27cd2a56e37e5bc1ef3 SHA-256: e847876f91cb6ca20c2f3e226e3ea7f9cbeb6d830a7db686ecfc36dcfb60f9a8
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link

The PDF contains numerous embedded URLs, with a critical heuristic firing for a 'PDF_SEO_LINK_FARM'. One of these URLs, 'http://host138.carmichaelnl.com/uploads/1/3/0/3/130379379/130379379.html#amharic+keyboard+for+pc+free+download', is presented in the document body and is associated with a heuristic indicating a visual download button lure. This suggests the document is designed to trick users into clicking the link to download a malicious payload.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://host138.carmichaelnl.com/uploads/1/3/0/3/130379379/130379379.html#amharic+keyboard+for+pc+free+download
    • http://www.mozopropiedades.com/uploads/1/3/0/6/130604158/wotok_setawetejotaled_jegaxosilogiz.pdf
    • http://www.soultriggerpdx.com/uploads/1/3/0/5/130588590/6750253.pdf
    • http://msmarmenia.org/uploads/1/3/0/3/130313466/tijoji-tefanova.pdf
    • http://ecommplish.com/uploads/1/3/0/5/130551363/rolejus_narevuxef.pdf
    • http://unrulyhistorian.com/uploads/1/3/0/4/130489367/3634715.pdf
    • http://www.steffenhipp.com/uploads/1/3/0/5/130539114/gawaf_mafemitixevutup_gopafeg_mutilavomirog.pdf
    • http://mikhaelbassilli.com/uploads/1/3/0/4/130483973/burubigiwegetizapabi.pdf
    • http://zapchasti-online.space/uploads/1/3/0/6/130621789/mubew_wavugufujug.pdf
    • http://mcintoshelectrical.co.uk/uploads/1/3/0/4/130483736/7438697.pdf
    • http://telecelpromo.com/uploads/1/3/0/7/130739895/e1725b1c11.pdf
    • http://djnittybrown.com/uploads/1/3/0/6/130604046/lozikone-doxawexutigeji-jejuvaz.pdf
    • http://cambridge-cigars.co.uk/uploads/1/3/0/7/130776022/cbedb.pdf
    • http://eracook-demo3.com/uploads/1/3/0/5/130539202/9426c2d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069ac.bin
e758e824d617b3dcf298c8c882fdfd8700af321b577b44d1fb0a6f70e9736846		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69AC 12976 bytes
font_01_sfnt_off00008cb9.bin
ab5fcc174a40ba3ba14ead1e92c512afd52536a818df5a9cbbc685778910814a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CB9 8060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.