Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff41507c63080bb9…

MALICIOUS

PDF

17.3 KB Created: 2020-03-31 04:56:10 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5180e7834d8b29b88ccb9246ced114d7 SHA-1: ac0796f77173498e98fbce1406053a1ae6a9ec7c SHA-256: ff41507c63080bb93fdd12b3359fcfe1ec592d36c6d1c1537bd4469df4472c2c
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF file is designed as an image-only lure, presenting a screenshot to trick the user into clicking an embedded link. This link, and many others found within the document, point to external PDF files hosted on various domains. The primary URL http://studioshiuli.com/uploads/1/3/0/5/130590162/130590162.html#requisitos+no+funcionales+seguridad+ejemplos likely serves as the initial phishing landing page, which then redirects to or hosts further malicious content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 17 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://studioshiuli.com/uploads/1/3/0/5/130590162/130590162.html#requisitos+no+funcionales+seguridad+ejemplos
    • http://greenwichtreeconservancy.com/uploads/1/3/0/7/130775167/6910067.pdf
    • http://nlccpsw.org/uploads/1/3/0/2/130288391/84cfbc4922e0f.pdf
    • http://circleupdoyennes.com/uploads/1/3/0/8/130814241/misuvomoxumuk.pdf
    • http://cochisewine.com/uploads/1/3/0/5/130538992/wunutusokamewa-netowevupe-lewuxugomesip-megugavuxuvere.pdf
    • http://citadelhomeservices.ca/uploads/1/3/0/9/130968949/guzokized-xabujovopabola-katov-lovifewiripibet.pdf
    • http://vnecessities.com/uploads/1/3/0/6/130621625/653930.pdf
    • http://arkansaspropertymaintenance.com/uploads/1/3/1/3/131380930/zowemil.pdf
    • http://lavidawithwings.com/uploads/1/3/0/6/130604706/9351206.pdf
    • http://myangeliccouture.com/uploads/1/3/0/7/130776504/82ebaed7856.pdf
    • http://tribalancehealth.net/uploads/1/3/1/3/131384660/245117.pdf
    • http://travelkai.com/uploads/1/3/0/7/130739729/bijeramok.pdf
    • http://theextractionplace.com/uploads/1/3/0/4/130490006/mugotex_jodilisakopu_nigulorubapuruj.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.