Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a92acfd03d53273…

MALICIOUS

PDF

123.3 KB Created: 2022-07-08 00:23:07 +00:00 Authoring application: mignpan (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 1a4fdc1ab26cb9cd51c7be775eb6fb80 SHA-1: b3c28c7e4d64587b9b6758705b8f72e71deb6c80 SHA-256: 2a92acfd03d53273b5403fc2426e51175abc88b97c1b4901fc35e5500667f64e
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are algorithmically generated and point to other PDF files, indicating a link farm or SEO poisoning tactic. One of the embedded links is to 'lehmanbrotherbankruptcy.com', suggesting a potential financial scam or phishing attempt. No scripts were extracted, but the primary attack vector appears to be directing users to malicious external content.

Machine Learning

  • Nyx PDF Classifier clean score 0.0076

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lehmanbrotherbankruptcy.com/bursitis/ZG93bmxvYWR8NkM0T1dwb1pueDhNVFkxTnpFNE5qazFOWHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/revues.groceries?ZG93bmxvYWQgbW92aWVzIGluIDcyMHAgTWFuamhpIFRoZSBNb3VudGFpbiBNYW4gMTA4MHAZG9.terrasse.tile
    • https://social.deospace.com/upload/files/2022/07/rwFs4syRGVYkwujw28EE_08_1920961db50d16733a0d1fa56b88972c_file.pdf
    • https://www.dejavekita.com/upload/files/2022/07/rT1JIwc9yhEWLYRnjNcg_08_54e11a8dba9e26c0878b5a439cd7a9bc_file.pdf
    • https://countymonthly.com/advert/sky-go-account-generator-_best_-cracked/
    • https://telebook.app/upload/files/2022/07/FWV7cBVnEYRHeJqyqN4f_08_97ffd12daa80676ae1fb363714a42d4a_file.pdf
    • https://www.town.hull.ma.us/sites/g/files/vyhlif3286/f/uploads/hull_parking_regulations_notice_for_2021.pdf
    • https://world-online.co.za/advert/udaan-full-movie-download-720p-better/
    • http://it-labx.ru/?p=66590
    • http://www.rentbd.net/?p=26317
    • http://www.chelancove.com/cod2-mp-crack-new-1-3-downloadl/
    • https://followgrown.com/upload/files/2022/07/lgUJV5uDhQvUiUOHSfl4_08_97ffd12daa80676ae1fb363714a42d4a_file.pdf
    • https://promwad.com/sites/default/files/webform/tasks/ellyele526.pdf
    • https://veritasds.com/sites/default/files/webform/hanbar69.pdf
    • http://www.camptalk.org/windows-server-2012-r2-kmspico/
    • https://www.cameraitacina.com/en/system/files/webform/feedback/assassinscreedivblackflagallunlockcrackv133dm7z-.pdf
    • https://www.cameraitacina.com/en/system/files/webform/feedback/busyaccountingsoftwarecrackserialdownloadfree.pdf
    • https://www.synergytherm.com/wp-content/uploads/2022/07/Download_Easy_Binder_20_UPD.pdf
    • https://kramart.com/lets-explore-farm-junior-field-trips-torrent-top-full/
    • https://eastlakefc.com.au/sites/default/files/webform/cerekam236.pdf
    • https://farmaciacortesi.it/mathematica-10-keygen-ubuntu-mate-better/
    • https://social.deospace.com/upload/files/2022/07/rwFs4syRGVYkwujw28EE_08_1920961db50d16733
    • https://www.dejavekita.com/upload/files/2022/07/rT1JIwc9yhEWLYRnjNcg_08_54e11a8dba9e26c0878
    • https://telebook.app/upload/files/2022/07/FWV7cBVnEYRHeJqyqN4f_08_97ffd12daa80676ae1fb36371
    • https://www.town.hull.ma.us/sites/g/files/vyhlif3286/f/uploads/hull_parking_regulations_notice_for_20
    • https://followgrown.com/upload/files/2022/07/lgUJV5uDhQvUiUOHSfl4_08_97ffd12daa80676ae1fb363
    • https://www.cameraitacina.com/en/system/files/webform/feedback/assassinscreedivblackflagallunloc
    • https://www.cameraitacina.com/en/system/files/webform/feedback/busyaccountingsoftwarecrackseri
    • https://aulasvirtuales.zaragoza.unam.mx/cv/blog/index.php?entryid=12063
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.