Malicious PDF — malware analysis report

Static analysis result for SHA-256 20f786734c8d1277…

MALICIOUS

PDF

117.3 KB Created: 2022-07-04 09:28:08 +00:00 Authoring application: detekay (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 4a15e984ee2cf8ad589ab7aefd1b3350 SHA-1: 84905397681318959422c1fa1cf9e1eff901308f SHA-256: 20f786734c8d127793b6137ee3b01eb476939439edf787e4a35b7444fc13497a
74 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF document contains multiple links advertising cracked software, a common lure for malware distribution. A high-severity heuristic indicates the document instructs the user to copy/paste content into a shell, likely to execute a downloaded payload from one of the embedded URLs. The primary URL, http://dormister.com/biomicroscopy/leathery.bravery?boasters.hera.ZG93bmxvYWR8dXYxWkhSaWEzeDhNVFkxTmpnNU1qTTFNbng4TWpVNU1IeDhLRTBwSUZkdmNtUndjbVZ6Y3lCYldFMU1VbEJESUZZeUlGQkVSbDA=likeliest&quarts=T3JhY2xlIExvY2F0b3IgRXhwcmVzcwT3J, is highly suspicious and likely serves as the download source for a second-stage payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0009

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dormister.com/biomicroscopy/leathery.bravery?boasters.hera.ZG93bmxvYWR8dXYxWkhSaWEzeDhNVFkxTmpnNU1qTTFNbng4TWpVNU1IeDhLRTBwSUZkdmNtUndjbVZ6Y3lCYldFMU1VbEJESUZZeUlGQkVSbDA=likeliest&quarts=T3JhY2xlIExvY2F0b3IgRXhwcmVzcwT3J PDF link annotation
    • https://pzn.by/uncategorized/seating-arrangement-for-weddings-crack-with-full-keygen-free-download-for-pc-2022/In PDF document text
    • http://www.vidriositalia.cl/?p=35660In PDF document text
    • https://sc-designgroup.com/wp-content/uploads/2022/07/chrnav.pdfIn PDF document text
    • https://marido-caffe.ro/2022/07/04/blockpad-crack-lifetime-activation-code/In PDF document text
    • http://barrillos.org/2022/07/04/jrview-with-serial-key-free/In PDF document text
    • http://implicitbooks.com/advert/myideasjournal-crack-2022-new/In PDF document text
    • https://instafede.com/earthdesk-crack-incl-product-key-download-x64/In PDF document text
    • http://www.male-blog.com/2022/07/04/whatsapp-pocket-4-2-0-crack-free-x64/In PDF document text
    • https://zeecanine.com/web-ceo-crack-lifetime-activation-code-download-mac-win-2022-latest/In PDF document text
    • http://www.ubom.com/upload/files/2022/07/FkGl5eheIkZYYfpNQUba_04_8470624887a55b30afb1bcccdaa34304_file.pdfIn PDF document text
    • https://www.bathnes.gov.uk/sites/default/files/webform/autumn-icons-small-and-large-edition.pdfIn PDF document text
    • https://skepticsguild.com/wp-content/uploads/2022/07/WinReducer_EX80_Crack___With_Key_X64.pdfIn PDF document text
    • https://www.didochat.com/upload/files/2022/07/li1EdnJDvLMkHsDxRN9Q_04_a5643b3768b2e1de8c959067c2ec56a7_file.pdfIn PDF document text
    • https://serverug.ru/����������������/macos-ux-pack-crack-free-download-for-pc/In PDF document text
    • https://noshamewithself.com/upload/files/2022/07/d3bYqDYPIICpCVJQbqoJ_04_8470624887a55b30afb1bcccdaa34304_file.pdfIn PDF document text
    • https://gamer.ini.chat/upload/files/2022/07/hHHFW54sonuki9WJrYk4_04_8470624887a55b30afb1bcccdaa34304_file.pdfIn PDF document text
    • http://setewindowblinds.com/?p=22673In PDF document text
    • https://wakelet.com/wake/5q8IN3AFAD3TCqowmBLZPIn PDF document text
    • http://tioustenli.yolasite.com/resources/File-Repair--Crack--Free-MacWin-2022.pdfIn PDF document text
    • https://ecunogenon.wixsite.com/roassabinca/post/mimind-2-90-mac-winIn PDF document text
    • http://www.tcpdf.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text