Malware Insights
The PDF document contains heuristics indicating the presence of external URIs and a URL shortener, suggesting a phishing or malware delivery attempt. The 'SE_URGENCY_LURE' and 'SE_PASSWORD_ARCHIVE_LURE' heuristics indicate that the document uses social engineering tactics to trick the user into downloading a password-protected archive. The embedded URLs point to legitimate-looking software download sites, but the use of a URL shortener and the overall context suggest these are likely decoys or part of a multi-stage attack. The document body is heavily obfuscated, preventing a detailed analysis of its specific content, but the heuristics strongly suggest a malicious intent to deliver a payload.
Heuristics 5
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URIPDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
-
Urgency / deadline lure low SE_URGENCY_LUREDocument contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://onthehub.com/download/free-software/
- http://freestudentsoftware.com/
- http://www.addmecontacts.com/
- http://datingaffiliateprogramreviews.com/top-dating-affiliate-programs-for-2015/
- http://www.followliker.com/instagram-bot.html
- http://resell-rights-weekly.com/
- http://howtobuybitcoins.info/us.html
- https://kat.cr/
- https://kat.cr/community/
- http://www.redbox.com/movies
- http://whatstrending.com/categories/movies
- http://www.datpiff.com/mixtapes/hot
- http://sharecash.org/
- http://fileice.net/?index=bf898a13dc1375600e2f
- http://www.hackforums.net/forumdisplay.php?fid=277
- http://igaming.org/cryptocurrencies/section/how-mining-works/
- https://shorte.st/ref/fc287cb549
- https://www.youtube.com/watch?v=E58ZVwOhj6c
- https://www.youtube.com/watch?v=LgRxWyoqltk
- https://www.youtube.com/watch?v=QihvpQYOJ04
- http://goo.gl/SqrB79
- https://partnernetwork.ebay.com/en/home
- http://www.alibaba.com/
- https://www.g2a.com/
- https://en.wikipedia.org/wiki/Bitcoin
- https://blockchain.info/wallet
- https://localbitcoins.com/
- http://www.rottentomatoes.com/browse/dvd-new-releases/?services=amazon;amazon_prime;flixster;hbo_go;itunes;netflix_iw;vudu
- http://www.rottentomatoes.com/
- http://www.the-numbers.com/movies/trending
- https://www.beatport.com/pulsechart
- https://soundcloud.com/explore
- http://www.metacritic.com/browse/games/release-date/new-releases/all/date
- http://www.gamestop.com/collection/upcoming-video-games
- http://www.gamespot.com/new-games/
- http://gamingbolt.com/trending-video-games-this-week
- http://download.cnet.com/windows/
- http://download.cnet.com/windows/most-popular/3101-20_4-0.html?tag=rb_content;main
- http://www.amazon.com/best-sellers-software/zgbs/software
- http://filehippo.com/popular
- http://www.techspot.com/downloads/popular/
- https://www.youtube.com/watch?v=0xWExh2COl8
- http://www.rarlab.com/download.htm
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_013_off000898b7.bin6f11262fb4ae0f47aa1702a3ffcd7572f6842fbdb07081267560277934eac23e |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x898B7 | 3084624 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.