Malicious PDF — malware analysis report

Static analysis result for SHA-256 f40a8422e99e6758…

MALICIOUS

PDF

42.3 KB Created: 2020-06-24 19:44:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8664f51aca039a4699b84e1aab0272d2 SHA-1: 2ae0dfe70ab38a3a91d981aa7a0620b10b81e918 SHA-256: f40a8422e99e67582d79ed2b77ba553bd1488f29f29b680e4900848461cdf517
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous external links, many of which point to other PDF files, suggesting a link farm or redirection mechanism. The document body text explicitly mentions "Microsoft excel 2007 for dummies pdf download" and includes URLs that likely serve as lures for users seeking this content. The presence of a "Visual download / call-to-action button lure" heuristic further supports the idea that the document is designed to trick users into clicking malicious links.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://19j.undesirable.us/uploads/1/3/0/9/130969079/130969079.html#microsoft+excel+2007+for+dummies+pdf+download
    • http://itsybitsybabygiftmarket.com/uploads/1/3/1/3/131380001/kisupadedup.pdf
    • http://cssrobotics.com/uploads/1/3/0/6/130620590/lusajas.pdf
    • http://pelletgrillcentral.com/uploads/1/3/2/3/132303133/xufelajanurenojip.pdf
    • http://raykakobiella.com/uploads/1/3/2/3/132303001/zasale.pdf
    • http://xn--rgangsvin-42a.dk/uploads/1/3/0/4/130435820/pavege.pdf
    • http://mybeautyinkstudio.com/uploads/1/3/1/4/131437296/1507928.pdf
    • http://hoskinshoops.org/uploads/1/3/0/5/130543682/7868995904.pdf
    • http://mail.barrow-lane.co.uk/uploads/1/3/1/4/131406802/3930457.pdf
    • http://russianboutique.co.uk/uploads/1/3/0/7/130739028/7141073.pdf
    • http://sagaponacksupperclub.com/uploads/1/3/0/7/130775403/759417.pdf
    • http://africannetwork.org/uploads/1/3/1/6/131637306/pubogamudigosa-gorozilesij-tavujuzafum-rimesojamuvu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065b6.bin
df1f0bad1cd76c7077d2a6778e87d2f9bf92764c9d8e3335de4cfbc16536a4ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B6 5700 bytes
font_01_sfnt_off0000791e.bin
87d5407f06ec0e14b546b0b1d6a6dc2c031104cff50ce4b3842f0c77656c28ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x791E 10504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.