Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ccdeff1538725c4…

MALICIOUS

PDF

140.6 KB Created: 2022-06-12 16:38:55 +02:00 Authoring application: tanjes (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 6b4a05f0ff382aeab82eb9dd81226db0 SHA-1: b347b436b72d1532d0fe1186b49b42ac5b67b60a SHA-256: 3ccdeff1538725c4ba72ec81e2d47a70e7ef39f316f3531db0d18fdfcd7db94e
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, many of which appear to be part of a link farm designed to attract search engine traffic. One heuristic specifically identifies this as a 'PDF_SEO_LINK_FARM'. Additionally, the document is flagged for using a 'SE_PASSWORD_ARCHIVE_LURE', suggesting it may be intended to trick users into believing they need a password to access content, which is often a tactic to bypass security scanners. The primary URL identified is http://evacdir.com/teamworker.cyberspeed.scholar?&unknowing=ZG93bmxvYWR8NHdKYVRBMWNueDhNVFkxTkRrNE9URTJNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA&&RGV1dHogRmFociBTREYgZSBQYXJ0cy10b3JyZW50LjgzRGV=salehoo, which is likely a download or redirect link.

Machine Learning

  • Nyx PDF Classifier clean score 0.0164

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/teamworker.cyberspeed.scholar?&unknowing=ZG93bmxvYWR8NHdKYVRBMWNueDhNVFkxTkRrNE9URTJNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA&&RGV1dHogRmFociBTREYgZSBQYXJ0cy10b3JyZW50LjgzRGV=salehoo
    • https://sjbparishnaacp.org/2022/06/12/12-you-brandi-evita-model-silver-dance-162-install/
    • https://fessoo.com/upload/files/2022/06/jk1lbVdoDYCy4tVAHopF_12_8e5d2926c6af27aa75989c38bdd1019f_file.pdf
    • https://thingstosale.com/advert/download-hannah-montana-the-movie-english-subtitle/
    • https://cleverfashionmedia.com/advert/surahyasinbanglapdfdownload-better/
    • http://www.perfectlifestyle.info/premier-manager-98-no-cd-crack/
    • http://www.shpksa.com/wp-content/uploads/2022/06/Melty_Blood_Act_Cadenza_VerB_NoCD_Patchrar_1.pdf
    • https://apliquickacademy.com/rar-password-recovery-magic-v611390fullrar/
    • https://corvestcorp.com/wp-content/uploads/2022/06/Ta_Ra_Rum_Pum_full_movies_720p_torrent.pdf
    • https://vinculaholdings.com/betwin-windows-7-crack-fixed-activation/
    • https://www.alnut.com/wp-content/uploads/2022/06/regberd.pdf
    • http://aceite-oliva.online/2022/06/12/f1-2010-pc-101-crack-22-fix/
    • https://efekt-metal.pl/witaj-swiecie/
    • https://coachfactor.it/mud-fim-motocross-world-championship-serial-key-serial-key11/
    • https://www.agrofacil.co/wp-content/uploads/2022/06/New_Release_Reinforced_Concrete_Design_By_Oyenugarar.pdf
    • https://vincyaviation.com/wondershare-dr-fone-toolkit-for-pc-15-9-10-95-full-crack/
    • https://uglemskogpleie.no/wp-content/uploads/2022/06/enavene.pdf
    • https://happybirthday2me.com/wp-content/uploads/2022/06/Crack_cutlist_plus_fx.pdf
    • http://supreo.fr/wp-content/uploads/2022/06/plamark.pdf
    • https://elsm.ch/advert/pc-ita-autodesk-inventor-2010-32bit-aenil-64-bit-link/
    • https://www.netcolf.it/wp-content/uploads/2022/06/Terjemahan_Kitab_Hilyatul_Auliya_Pdf_Download.pdf
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000c2a.bin
a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC2A 120140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.