Malicious PDF — malware analysis report

Static analysis result for SHA-256 f15e09fc9ce0fabf…

MALICIOUS

PDF

31.6 KB Created: 2020-03-31 12:30:49 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5c609245a8565085e376bd871943a30e SHA-1: 2a1e66fcc49e60b54cb5559a65782d8d5ea0932f SHA-256: f15e09fc9ce0fabf7028455986e64f5b7dc55351bc315f8419227a3af632c6c4
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF document contains a mass of external links, many pointing to PDF files, suggesting a link farm or SEO poisoning tactic. One of the embedded URLs, 'http://localcrimescenecleanup.info/uploads/1/3/0/3/130323097/130323097.html#dell+latitude+e6530+drivers+for+windows+7', indicates a lure for downloading drivers. The presence of a visual download button further supports a social engineering attack. The document's primary purpose appears to be to trick users into downloading a malicious file disguised as legitimate software.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://localcrimescenecleanup.info/uploads/1/3/0/3/130323097/130323097.html#dell+latitude+e6530+drivers+for+windows+7
    • http://www.deesty.fr/uploads/1/3/0/9/130969185/rokukutobufe.pdf
    • http://healingrockretreat.com/uploads/1/3/1/3/131382226/geforeriwonor.pdf
    • http://www.aectperambalur.com/uploads/1/3/0/5/130544243/manuzokuxuvufenisu.pdf
    • http://smooth-resolve.com/uploads/1/3/0/6/130605462/sivam.pdf
    • http://photosinthesi.gr/uploads/1/3/0/5/130590561/9680110.pdf
    • http://samplesnew.com/uploads/1/3/0/7/130776229/c3142bd52c51.pdf
    • http://leoconstruction.org/uploads/1/3/0/5/130589228/6038020.pdf
    • http://davisenergymedicine.com/uploads/1/3/1/4/131453576/7484832.pdf
    • http://totalplasma.org/uploads/1/3/0/3/130313038/ferevisujoz.pdf
    • http://cbseeds.net/uploads/1/3/0/7/130740187/lafuraros-lazuwo.pdf
    • http://bartranz.com/uploads/1/3/0/6/130620889/1554151.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000562d.bin
819f4106203ada448f694a47611d50281c01a113be68347cf93c16d19bd81d35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x562D 6892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.