Malicious PDF — malware analysis report

Static analysis result for SHA-256 f727bc630fd38db0…

MALICIOUS

PDF

81.5 KB Created: 2020-04-06 12:52:11 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: e891553123d087646a5a014b9d568eef SHA-1: 979012fe3dadc6d70d46fa00d574c0807126b247 SHA-256: f727bc630fd38db0660bafbee5d108242d154f7ed1c8107b6a04c0dcdf4f95af
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which are hosted on domains that appear to be part of a link farm. The heuristic 'SE_URGENCY_LURE' suggests the document's content attempts to create a false sense of urgency to prompt user interaction. The primary attack pattern involves directing users to these external URLs, which are likely malicious or lead to further compromise. No scripts were extracted from this sample.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://neokundalini.org/uploads/1/3/0/4/130483142/130483142.html#mr+selfridge+the+man
    • http://artclassdallas.com/uploads/1/3/0/6/130620882/abef96d085cd13.pdf
    • http://palletofwater.com/uploads/1/3/0/8/130874332/9383193.pdf
    • http://thecenterforpresence.com/uploads/1/3/0/7/130739211/586978.pdf
    • http://aprendizajeactivobrumiel.com/uploads/1/3/0/6/130639374/sowawozosunoji.pdf
    • http://bzhighperformancemarketing.com/uploads/1/3/0/3/130313358/112f750412ef.pdf
    • http://singlegal.net/uploads/1/3/0/2/130272862/59fae.pdf
    • http://sandhuzroyaldecor.com/uploads/1/3/1/4/131438684/1728174.pdf
    • http://theelliottsisters.com/uploads/1/3/0/8/130813669/nevabaxe.pdf
    • http://nuevalinea.es/uploads/1/3/0/2/130288729/4191936.pdf
    • http://fbposters.com/uploads/1/3/0/6/130621418/de288973f0f.pdf
    • http://specialtynailwholesale.com/uploads/1/3/0/6/130640069/wabeniz.pdf
    • http://daisywholefoods.com/uploads/1/3/0/2/130270845/3756678.pdf
    • http://sgcorpo.com/uploads/1/3/0/3/130379447/nobolorujiragodit.pdf
    • http://forgefactorycrossfit.com/uploads/1/3/0/4/130483940/1607794.pdf
    • http://dylanmccarthyblackston.com/uploads/1/3/0/4/130476368/4542768.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001174d.bin
1ecd0e586dd7a3d8da965d631f10f9fed2dad5c715c9ce94fb713f0d626a83ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1174D 8928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.