PDF malware analysis — malicious · ef23c7506881576b

MALICIOUS

PDF

55.3 KB Created: 2020-06-03 22:22:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 7bb33c3a8f9bbf1793845c0c67f9e988 SHA-1: 251a0328b3751468399388a889295c288fa4627c SHA-256: ef23c7506881576be581f2a7fd447e949925444ce7096c8bae9134ef7019b99b

102 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File Execution: User Execution T1566.002 Phishing: Spearphishing Attachment

The PDF document contains a large number of external links, many of which point to other PDF files, suggesting a link farm for SEO manipulation or to host malicious content. The 'SE_CLICKFIX' heuristic indicates a social engineering attack that tricks the user into executing commands, likely to download and run a secondary payload. The embedded URL 'http://aerialstudios.net/uploads/1/3/0/2/130271157/130271157.html#acer+aspire+e1-571g+recovery+disk+do' is a primary indicator of the malicious destination.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClickFix social engineering attack high SE_CLICKFIX

Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://aerialstudios.net/uploads/1/3/0/2/130271157/130271157.html#acer+aspire+e1-571g+recovery+disk+do
- http://bluecouleecoffee.com/uploads/1/3/0/7/130776147/tijubegiwar.pdf
- http://lanaetlinum.com/uploads/1/3/1/3/131382373/dexul-nogamuseviwodov-xuxedoxapek.pdf
- http://mta-sts.buggytownbirddogs.com/uploads/1/3/1/8/131856010/pulug.pdf
- http://mta-sts.mail.geshundheit.ch/uploads/1/3/0/5/130538841/nalewula-kemirum-sajinoso-pimeb.pdf
- http://cibum.nl/uploads/1/3/1/3/131383727/8a7397f7d.pdf
- http://retrieversystemsco.com/uploads/1/3/0/5/130550911/6020933.pdf
- http://drkelseykeltgen.com/uploads/1/3/0/5/130539843/629b5f7e7.pdf
- http://mail.teriannestanley.com/uploads/1/3/1/3/131398254/lidajiwow.pdf
- http://bergenmeadowlandscommercialalliance.com/uploads/1/3/1/4/131438313/simomovomirulubegi.pdf
- http://fluid2.org/uploads/1/3/1/4/131453818/543d39b4.pdf
- http://enzoprints.com/uploads/1/3/0/5/130552053/gopabu.pdf
- http://hookmo.com/uploads/1/3/0/8/130873776/sonubinumiti.pdf
- http://aerialstudios.net/uploads/1/3/0/2/130271157/terms.html
- http://aerialstudios.net/uploads/1/3/0/2/130271157/dmca.html
- http://aerialstudios.net/uploads/1/3/0/2/130271157/policy.html
- http://lanaetlinum.com/
- https://batuzax.files.wordpress.com/2020/06/37103293634.pdf
- https://nojilibap.files.wordpress.com/2020/06/14753633544.pdf
- https://babupaxe.files.wordpress.com/2020/06/zewenasiwidukurozagu.pdf
- https://juruvedofe.files.wordpress.com/2020/06/20777207588.pdf
- https://fotigegim.files.wordpress.com/2020/06/96553680484.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a9fc.bin` `c6cf4842308c79cd08f37e6ad6eefd535c0974ac6b57507db7b16ef0f8a46fcc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA9FC	11676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.