Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec6a0c58471542e8…

MALICIOUS

PDF

84.4 KB Created: 2020-05-15 02:23:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d17ad5d981267402d17531460bb5993c SHA-1: 363dc2e4873e8003443f82beca0b14288ff8e8d1 SHA-256: ec6a0c58471542e87514dc0a6cc620136aa412b15e0525bb7d20282939f0d389
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The PDF contains a large number of external links, many of which point to similarly structured URLs on different domains, suggesting a link farm for SEO poisoning. The document also explicitly instructs the user to copy and paste content into a shell, indicating an attempt to trick the user into executing commands. No scripts were extracted, but the combination of link farming and social engineering points to a malicious downloader or exploit delivery mechanism.

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bellissimoconfections.com/uploads/1/3/0/7/130775702/130775702.html#accounting+information+system+romney+ppt
    • http://sophiebernier.com/uploads/1/3/1/8/131858353/00b5e5.pdf
    • http://thebarnatcrookedpinesfarm.com/uploads/1/3/1/3/131378796/wipogijaf_liwotekila_tabevidebedud_wuzatukorevi.pdf
    • http://kindkvist.com/uploads/1/3/1/1/131163834/rolumalexazudano.pdf
    • http://pro2290.com/uploads/1/3/1/4/131438079/f1951df564bdc16.pdf
    • http://isthisproblematic.org/uploads/1/3/0/7/130739923/takepasejebu_disovaxujusidad_pajevi.pdf
    • http://kinglobby.net/uploads/1/3/0/7/130740191/7e752.pdf
    • http://allbodies.store/uploads/1/3/1/0/131070652/vipitapilewapeg-romopupitakiw.pdf
    • http://tandit21.store/uploads/1/3/0/3/130323154/1245577.pdf
    • http://mailstreamdirect.com/uploads/1/3/0/7/130738740/6d84b03c7c16.pdf
    • http://bbeboutiquellc.com/uploads/1/3/1/3/131398097/929ae07d.pdf
    • http://mindbodyface.ca/uploads/1/3/0/6/130620845/xerifokevawifiw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000105ff.bin
e8d8df769fbb5b9f857371e4a7bb07a858c819f98a7e67848eb3f5cfee27c6d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105FF 12968 bytes
font_01_sfnt_off0001309e.bin
c988415812f594187b0a0ed75dc52802e798e1695b49bd300f8412a65040a449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1309E 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.