Malicious PDF — malware analysis report

Static analysis result for SHA-256 109bff3b0ca6f89f…

MALICIOUS

PDF

124.7 KB Created: 2022-06-06 17:30:50 +02:00 Authoring application: illgar (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 37e3e5e5a976b9a85b2baf82471938d0 SHA-1: da111bd876fd7ebd15b9f7af74bd682d555a001d SHA-256: 109bff3b0ca6f89f920b17794312bd60ea3ca4a1a664adf7e49b98113bef2776
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or phishing attempt to direct users to malicious content. One of the embedded URLs, http://evacdir.com/demanded/chang/ZG93bmxvYWR8SnoyTW01NVpIeDhNVFkxTkRVeU1qRXhNSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/entrepreneurs=gyrate/VkJDb3JMaWIVkJ?directorship=retroactive, is likely a download URL for a second-stage payload. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier clean score 0.0069

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/demanded/chang/ZG93bmxvYWR8SnoyTW01NVpIeDhNVFkxTkRVeU1qRXhNSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/entrepreneurs=gyrate/VkJDb3JMaWIVkJ?directorship=retroactive
    • https://uk-ok.com/2022/06/06/the-bar-crack-download/
    • https://www.gasape.com/upload/files/2022/06/fzmUzoxyEbTdTrh6XRcz_06_06813420b7ce1c27f7deab0c1c3c61eb_file.pdf
    • https://dbsangola.com/wp-content/uploads/2022/06/ConferenceXP_Client.pdf
    • http://rt2a.org/radix-smartclass-crack-free-download-for-windows/
    • https://scdroom123.com/wp-content/uploads/2022/06/Fellow.pdf
    • https://coreelevation.com/wp-content/uploads/2022/06/quenegb.pdf
    • https://csermooc78next.blog/wp-content/uploads/2022/06/qitocea.pdf
    • https://invertebase.org/portal/checklists/checklist.php?clid=6247
    • https://www.spanko.net/upload/files/2022/06/ASCUgeJqRy7TZk3sQY3R_06_96fa6f4fe357b632cf169dfecc484f2f_file.pdf
    • https://tchadmarket.com/immobilier/pcauditor/
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000256d.bin
a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x256D 120140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.