Malicious PDF — malware analysis report

Static analysis result for SHA-256 f7c4fe5b08a9f729…

MALICIOUS

PDF

72.4 KB Created: 2020-04-17 22:46:42 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 45342d13ae5a61ddd3aed2120baae720 SHA-1: eaf92c9152b7ae79dc23fdebcfd5828179e8dac8 SHA-256: f7c4fe5b08a9f729b79519525243e7c7555552eb76716dc8c025f19239ab37f5
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links to other PDF files, a technique often used for SEO poisoning or to distribute malicious content. The heuristic 'SE_LOLBIN_RUN_COMMAND' indicates that the document may contain instructions for executing commands using Windows scripting tools, suggesting a potential for further malicious activity. The primary URLs identified are part of this link farm.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://makemeblushla.com/uploads/1/3/0/6/130604031/130604031.html#cave+story+dsi
    • http://adaptodis.com/uploads/1/3/0/9/130969963/8b93842e2529.pdf
    • http://myhockeyguru.com/uploads/1/3/0/6/130604393/3478928.pdf
    • http://sigel.solutions/uploads/1/3/0/4/130475981/eff8f14774d3d.pdf
    • http://arenaeyecarenatomas.com/uploads/1/3/0/4/130435702/xogaberiman.pdf
    • http://dwandcompany.net/uploads/1/3/1/1/131163772/gibegirokowine.pdf
    • http://coderednurse.com/uploads/1/3/0/5/130544295/goxivokanawuxiwe.pdf
    • http://purr-fecthearts.org/uploads/1/3/1/3/131384098/8362009.pdf
    • http://www.viajeszafra.es/uploads/1/3/0/2/130271078/4187262.pdf
    • http://billeveart.com/uploads/1/3/0/4/130477915/4415558.pdf
    • http://emilyarden.com/uploads/1/3/0/7/130739297/9f5365f2e9.pdf
    • http://strongherfasther.org/uploads/1/3/0/9/130969515/1abb16eda0a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e339.bin
92b7458731084d4c2868d19e1f5f0f220fbf24b0e96629be7b9c924c14772e3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE339 9132 bytes
font_01_sfnt_off000105b8.bin
c960b03b2f6c1ad47c8361b98dca0533e95d1373010e1a472bd13d3789e8f13d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105B8 5280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.