Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee1b8ba8f4f432d9…

MALICIOUS

PDF

39.5 KB Created: 2020-05-14 04:57:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 58039948042c49c71bdc7093c17bb08d SHA-1: 3c25922b046dbc223633e6ed7868fb6231411ac0 SHA-256: ee1b8ba8f4f432d993a2411199bf89b90f87116aeac8d6a36ea74795ffba1336
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document was identified as malicious due to a heuristic firing indicating a large link farm of external PDF URLs. The document body contains numerous URLs, with the primary ones being http://hepburnhideaway.com/uploads/1/3/0/7/130776462/130776462.html#sample+descriptive+paragraph+about+a+place+pdf and http://plussizebridesmaiddressma.com/uploads/1/3/1/6/131606349/b82a1116bd534e9.pdf. This suggests a social engineering or phishing attempt where users are lured to click on these links, potentially leading to further malware downloads or credential harvesting.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hepburnhideaway.com/uploads/1/3/0/7/130776462/130776462.html#sample+descriptive+paragraph+about+a+place+pdf
    • http://plussizebridesmaiddressma.com/uploads/1/3/1/6/131606349/b82a1116bd534e9.pdf
    • http://sambainspirado.com/uploads/1/3/1/4/131453348/9310698.pdf
    • http://annabuhler.com/uploads/1/3/1/0/131070109/2241031.pdf
    • http://vnvlvmcmn.org/uploads/1/3/1/6/131607363/zulovujeli.pdf
    • http://mylavishonline.com/uploads/1/3/0/6/130639068/8905684.pdf
    • http://tenminuteministries.net/uploads/1/3/1/3/131397974/jagozesekeduxip.pdf
    • http://freebirdtourandtravel.com/uploads/1/3/1/6/131637652/fijusiwib-jifadudifa-matobi-fagupufe.pdf
    • http://tylerwilliams.us/uploads/1/3/0/5/130539295/degonajefovezilafexi.pdf
    • http://nevermoreacres.com/uploads/1/3/1/3/131398045/gerulokawap.pdf
    • http://annisepe.com/uploads/1/3/0/7/130775840/7413544.pdf
    • http://bestbismarckduiattorney.com/uploads/1/3/0/4/130483429/5269210.pdf
    • http://managementdecisionsllc.com/uploads/1/3/0/8/130814769/tajel.pdf
    • http://lakecitymobiledetailing.com/uploads/1/3/0/4/130476598/mogumusetat.pdf
    • http://beesbizz.com/uploads/1/3/0/8/130814252/fezexepifepe_tizulabi_zekite_tuzakenat.pdf
    • http://barkerwildlife.com/uploads/1/3/1/3/131379540/gugosozig.pdf
    • http://theutg.com/uploads/1/3/1/3/131383694/tunavifewidagubeku.pdf
    • http://goldphoenixproduction.net/uploads/1/3/1/8/131871952/pijonotes.pdf
    • http://vixy-art.com/uploads/1/3/0/6/130603841/544d0b5f.pdf
    • http://thehelpfuldoula.com/uploads/1/3/0/4/130436234/wisijuwufevisin_sedolum_gukimosi.pdf
    • http://athomeinthewoods.org/uploads/1/3/0/6/130621472/4172dc0.pdf
    • http://magicaltransformation.org/uploads/1/3/0/5/130551718/kidosuzopituverij.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070d8.bin
3acf484277282a7cbd632f086c7eaf7b7a63c634f788e68bf17d28f0ac799ddb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70D8 9648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.