Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2005e7d98253b37…

MALICIOUS

PDF

35.4 KB Created: 2020-06-05 00:07:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8c5ef945094a8e02169d3083afdcef3 SHA-1: 083d68212cd29cfd909ef1bd2c0c4f6a90a76e89 SHA-256: f2005e7d98253b370c0a81167c687286724da21b950b3e27b96bd8d9dd5a1075
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF document contains numerous external links, many of which are hosted on suspicious domains and appear to be part of a link farm. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of these links, suggesting a malicious intent to distribute or host malicious content. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic further supports the idea that the document is designed to trick the user into clicking a link, likely to download a secondary payload. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sauerlandhypotheek.nl/uploads/1/3/0/7/130775660/130775660.html#jesus+loves+me+too+much
    • http://smartchoice.org.uk/uploads/1/3/0/7/130775071/1575765.pdf
    • http://flydcsc.com/uploads/1/3/1/0/131071196/wadadanowakofapegama.pdf
    • http://wellnessattheabbey.com/uploads/1/3/1/3/131383562/kafofeg_kuvoxisux_zuwewekupanufak_sasuzo.pdf
    • http://1zl.undesirable.us/uploads/1/3/0/9/130969888/xaxififesa.pdf
    • http://4hm.undesirable.us/uploads/1/3/1/6/131606025/046d43f3b00418.pdf
    • http://handmadecandlesandsoaps.com/uploads/1/3/1/4/131454435/2858d87602f791.pdf
    • http://mazatlantravelclub.net/uploads/1/3/0/5/130588984/zoserugebusujiwav.pdf
    • http://saud.solutions/uploads/1/3/1/4/131406544/rapiduzu-zomupavenorej.pdf
    • http://sparklebabeonline.com/uploads/1/3/0/5/130547486/2113886.pdf
    • http://abcheavy.com.au/uploads/1/3/0/2/130272513/4343074.pdf
    • http://webdisk.alexabc.com/uploads/1/3/1/6/131637116/xojodonofix_kedipe.pdf
    • http://ckmnortheast.com/uploads/1/3/0/5/130545189/2302332.pdf
    • http://autodiscover.radarresearch.com/uploads/1/3/1/4/131437867/230028.pdf
    • http://sauerlandhypotheek.nl/uploads/1/3/0/7/130775660/terms.html
    • http://sauerlandhypotheek.nl/uploads/1/3/0/7/130775660/dmca.html
    • http://sauerlandhypotheek.nl/uploads/1/3/0/7/130775660/policy.html
    • https://ximusigote214282024.files.wordpress.com/2020/06/gitevowesaxim.pdf
    • https://varesewivoja.files.wordpress.com/2020/06/35087442024.pdf
    • https://dazemafabuse.files.wordpress.com/2020/06/59250906600.pdf
    • https://gosowawo370588995.files.wordpress.com/2020/06/50372749011.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f58.bin
f6ddf91f4e72fbfd4ab4df5280345c53e9d0b3cd6826bcd04ad2de9742cdb1af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F58 10040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.