Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5aee146368f2dd6…

MALICIOUS

PDF

61.8 KB Created: 2020-04-09 22:33:04 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6364ec70d6491fd3f0da36294a101785 SHA-1: c3d531a1935c971d3df1bb74030a1a56b316b9d4 SHA-256: f5aee146368f2dd6cda70a9b37fcc8d0c4de403754bab3c7b6aee320905a6670
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF was identified as an image-only lure, a common phishing technique. It contains a large number of external links, many pointing to similarly structured URLs on different domains, suggesting a link farm or a mass phishing campaign. No scripts were extracted, but the PDF structure and numerous external URLs indicate a likely intent to redirect users to malicious websites for credential harvesting or further exploitation.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 61 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://taoswellwoman.com/uploads/1/3/0/6/130640183/130640183.html#canon+mx350+manual
    • http://libertypoolclean.com/uploads/1/3/0/9/130969764/dulejepitoz_jotezaj_jabidapape.pdf
    • http://thiessenfamilyfoundation.com/uploads/1/3/0/7/130776315/bidiliwad-xijonami-wumoso-givopulogu.pdf
    • http://dontforgetathing.com/uploads/1/3/0/7/130738835/b086e598450b2.pdf
    • http://stellarnonprofits.com/uploads/1/3/0/4/130483863/wujibisevofu-vevijor-pupif-tejilug.pdf
    • http://thehuskymamma.com/uploads/1/3/0/7/130775629/492814.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d5e8.bin
34a97cf02d4b99907a5e80020ae4beea44366a5d91ace2091e9dc44a2df604bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5E8 5136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.