Malicious PDF — malware analysis report

Static analysis result for SHA-256 041a0f41cd363f6a…

MALICIOUS

PDF

124.1 KB Created: 2022-07-04 04:26:20 +00:00 Authoring application: yamberk (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 399b7190bbf04bebe0e756e9a881d5e0 SHA-1: 31e8b1395a41d8ec50d4e59c4957256fb7db36d3 SHA-256: 041a0f41cd363f6ab027f557019936530cf546605a548b91da485583bdf50bea
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to cracked software or browser extensions, indicating a social engineering lure. One of the embedded URLs, http://mydrugdir.com/abaco/..., appears to be a download link for a malicious payload. The document's primary purpose is to trick users into downloading and executing potentially harmful software or installing malicious browser extensions.

Machine Learning

  • Nyx PDF Classifier clean score 0.0137

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mydrugdir.com/abaco/ZG93bmxvYWR8ZUMxTm0xa2RIeDhNVFkxTmpnNU1qTTFNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/alzheimer.consonance.fran.reimbursable.UFVNUC1GTE8UFV?scriptor=improved
    • https://omaamart.com/wp-content/uploads/2022/07/Portable_GreenBrowser__Crack___Updated_2022.pdf
    • https://www.agence-de-titres-services.be/sites/default/files/webform/betrbaka691.pdf
    • https://consultation-allaitement-maternel.be/wp-content/uploads/2022/07/ActiveInbox_for_Chrome-1.pdf
    • https://cristianosencontacto.com/wp-content/uploads/2022/07/SterJo_Password_Unmask.pdf
    • https://apps.crg.es/system/files/webform/lemgrai245.pdf
    • https://pqinsel.com/pq/advert/oglplus-updated-2022/
    • https://evenimenteideale.ro/password-boss-2-0-2801-0-crack-for-windows-2022-latest/
    • https://casacostaalmeria.com/wp-content/uploads/2022/07/Ozone_for_Winamp_3.pdf
    • https://www.nwu.ac.za/sites/www.nwu.ac.za/files/files/i-institutional-information/quickstats/NWU-QuickStats-2020-2021.pdf
    • https://dogrywka.pl/wp-content/uploads/2022/07/Commander.pdf
    • https://marketingbadajoz.com/spybot-search-and-destroy-detection-update-crack-license-key-download/
    • https://myperfecttutors.com/webcam-saver-3-9-9-3264bit-2022-new/
    • https://theludwigshafen.com/wp-content/uploads/2022/07/One_Percent.pdf
    • https://patmosrestoration.org/wp-content/uploads/2022/07/HTML_Viewer.pdf
    • https://72bid.com?password-protected=login
    • http://realslant.com/?p=10333
    • https://telebook.app/upload/files/2022/07/dUSDruT1BCZASVonDcNb_04_f562e6a9e9646cd916301009d06dc897_file.pdf
    • https://cristianosencontacto.com/wp-content/uploads/2022/07/propama.pdf
    • https://lucviet.com/wp-content/uploads/2022/07/Vmdk2Phys_Crack_Serial_Number_Full_Torrent_April2022-1.pdf
    • https://www.simonefiocco.com/index.php/2022/07/04/aplus-dvd-to-divx-xvid-ripper-crack-lifetime-activation-code-for-pc/
    • https://omaamart.com/wp-content/uploads/2022/07/Portable_Green
    • https://www.agence-de-titres-
    • https://consultation-allaitement-maternel.be/wp-
    • https://cristianosencontacto.com/wp-
    • https://evenimenteideale.ro/password-boss-2-0-2801-0-crack-for-
    • https://casacostaalmeria.com/wp-
    • https://www.nwu.ac.za/sites/www.nwu.ac.za/files/files/i-institutional-
    • https://marketingbadajoz.com/spybot-search-and-destroy-detection-
    • https://myperfecttutors.com/webcam-
    • https://theludwigshafen.com/wp-
    • https://patmosrestoration.org/wp-
    • https://telebook.app/upload/files/2022/07/dUSDruT1BCZASVonDcNb
    • https://lucviet.com/wp-content/uploads/2022/07/Vmdk2Phys_Crack_
    • https://www.simonefiocco.com/index.php/2022/07/04/aplus-dvd-to-
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.