Malicious PDF — malware analysis report

Static analysis result for SHA-256 216aa3f71681a30c…

MALICIOUS

PDF

118.3 KB Created: 2022-07-06 11:27:55 +00:00 Authoring application: henber (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: ef7a498eed55f3c4fef039b6987c8280 SHA-1: 699b82f15ccf79d0d740ccde0443c2653229e240 SHA-256: 216aa3f71681a30ca5100ea09db562950fa29ee70581f057d4574c794af6af6d
92 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1071.001 Web Protocols

This PDF document contains a large number of external links, including one hosted on a raw IP address, suggesting a link farm or distribution point for malicious content. The presence of a 'download button' heuristic further supports the intent to trick users into downloading further payloads. The document body was not sufficiently readable to determine a specific lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.0314

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://findthisall.com/contrivances/overstock.romeu?everly=jerking&TWFya2l6IERlIFNhZCAxMjAgRGFuYSBTb2RvbWUgUGRmIERvd25sb2FkTWF=ZG93bmxvYWR8eEw3YW1kbE1ueDhNVFkxTnpBMk56RTFOSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA==
    • https://www.waldportoregon.gov/sites/g/files/vyhlif6536/f/uploads/public_records_request_policy_and_form_.pdf
    • https://inobee.com/upload/files/2022/07/vqkWHKmrmznT7mnwZVyL_06_ad37e25b0c73611e9f2b3d75d3183c6e_file.pdf
    • https://www.mindq.co.bw/sites/default/files/webform/ferflan761.pdf
    • https://www.chiesacristiana.eu/2022/07/06/horoscope-explorer-pro-5-03-crack-best-serial-keygen-cd-key-rar/
    • https://natsegal.com/autocad-2006-portable-__hot__-keygen/
    • https://bullygirlmagazine.com/advert/resident-evil-5-iso-ps2-top/
    • https://www.juniperhillpta.uk/wp-content/uploads/2022/07/VEGA_Conflict_Cheats_And_Hacks_9999999999_Coins.pdf
    • https://www.artec3d.com/system/files/webform/business_development/alisyaky612.pdf
    • https://dincampinginfo.dk/wp-content/uploads/2022/07/moninect.pdf
    • https://mauislocal.com/wp-content/uploads/2022/07/Spellbound_Korean_Movie_Eng_Sub_Torrent_FULL_Download.pdf
    • https://1orijin.com/upload/files/2022/07/khJcYb6GT61LRcsxlBim_06_ad37e25b0c73611e9f2b3d75d3183c6e_file.pdf
    • http://richard-wagner-werkstatt.com/?p=74853
    • http://www.chandabags.com/koi-mil-gaya-full-movie-download-mp4-720p-repack/
    • https://www.griecohotel.it/descargar-gran-turismo-4-pc-espaol-utorrent-install/
    • https://4s71.com/nostale-minigame-bot-download-repack-2/
    • http://18.138.249.74/upload/files/2022/07/l2HSpsvhiebr7s6hFCrk_06_ad37e25b0c73611e9f2b3d75d3183c6e_file.pdf
    • https://ipayif.com/upload/files/2022/07/teAAFfVMBRgnnjCJdVPq_06_ad37e25b0c73611e9f2b3d75d3183c6e_file.pdf
    • https://www.ludomar.com/wp-content/uploads/2022/07/REPACK_Keygen_Para_Activar_AutoCAD_Mechanical_2018_64_Bits.pdf
    • https://www.waldportoregon.gov/sites/g/files/vyhlif6536/f/uploads/public_records_request_policy_and
    • https://inobee.com/upload/files/2022/07/vqkWHKmrmznT7mnwZVyL_06_ad37e25b0c73611e9f2b3d7
    • https://www.chiesacristiana.eu/2022/07/06/horoscope-explorer-pro-5-03-crack-best-serial-keygen-cd-
    • https://www.juniperhillpta.uk/wp-
    • https://mauislocal.com/wp-
    • https://1orijin.com/upload/files/2022/07/khJcYb6GT61LRcsxlBim_06_ad37e25b0c73611e9f2b3d75d31
    • http://18.138.249.74/upload/files/2022/07/l2HSpsvhiebr7s6hFCrk_06_ad37e25b0c73611e9f2b3d75d3
    • https://ipayif.com/upload/files/2022/07/teAAFfVMBRgnnjCJdVPq_06_ad37e25b0c73611e9f2b3d75d31
    • https://www.ludomar.com/wp-
    • https://au.int/es/system/files/webform/au3rd
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.