Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a0257ee0b340d87…

MALICIOUS

PDF

121.5 KB Created: 2022-07-04 01:19:24 +00:00 Authoring application: kartad (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 1938de33b6ffd2f42f7adaa88d147e60 SHA-1: 602c4d3d7ffb2b37b5efb261d34d12ce9f372cd6 SHA-256: 4a0257ee0b340d87f95a1c017ce02b1402f944edc21bf7ea84321a32f7a4e45f
104 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The PDF contains a heuristic firing for a 'Clipboard command execution lure', indicating it instructs users to copy and paste content into a shell. This, combined with the presence of multiple external URLs, suggests the document is designed to trick the user into downloading and executing a secondary payload. The primary malicious URL identified is http://lehmanbrotherbankruptcy.com/...

Machine Learning

  • Nyx PDF Classifier clean score 0.0083

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lehmanbrotherbankruptcy.com/photoshop.T3ppRXhwbG9yZXIgRmlsZSBGb3JtYXQgQ29udmVydGVyT3p.anakinra.defrauded.goers.ZG93bmxvYWR8OXluTWpOeWVYeDhNVFkxTmpnNU1qTTFNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA.entreprenuers.qeii
    • https://affittaora.it/wp-content/uploads/2022/07/jannat.pdf
    • http://anhhotgirls.com/usb-disk-protection-x64-2022-3/
    • https://acindustrialtech.com.ph/sites/default/files/webform/maftjakq756.pdf
    • https://thebakersavenue.com/ez-wav-joiner-crack-torrent-activation-code-free-final-2022/
    • https://lockbrotherstennis.com/video-to-nintendo-converter-free-crack-registration-code-free-for-pc-updated-2022/
    • https://www.careerfirst.lk/sites/default/files/webform/cv/maretea265.pdf
    • https://marriagefox.com/projectroom-2-0-0-crack-full-version-for-windows-march-2022/
    • https://mariana-flores-de-camino.com/mariana-flores-de-camino/amd-v-technology-and-microsoft-hyper-v-system-compatibility-check-crack-full-version-march-2022/
    • https://riberadelxuquer.com/wp-content/uploads/2022/07/Cute_Web_Email_Extractor_Advance.pdf
    • http://www.ubom.com/upload/files/2022/07/tP4rc4hPqnFJPX4oothA_04_b68ac693ab44141b60f19840ea3625d7_file.pdf
    • https://www.careerfirst.lk/sites/default/files/webform/cv/FoopChat-Client.pdf
    • https://followgrown.com/upload/files/2022/07/wmARiYz7wL9XCjxOFWgl_04_f29157500b91f80bc6b0d552224ef24f_file.pdf
    • https://solaceforwomen.com/slicer-crack-patch-with-serial-key-april-2022/
    • https://everyonezone.com/upload/files/2022/07/CrLh6aK1z9tByTmBeT8z_04_f29157500b91f80bc6b0d552224ef24f_file.pdf
    • https://fisiocinesia.es/2022/07/04/tiff-merger-deluxe-activation-code-with-keygen/
    • https://autodjelovicg.com/advert/taggedfrog-crack-lifetime-activation-code-updated/
    • https://merryquant.com/kiss-sounds-crack-with-registration-code-latest/
    • https://lockbrotherstennis.com/video-to-nintendo-converter-free-crack-registration-code-free-for-pc-
    • https://mariana-flores-de-camino.com/mariana-flores-de-camino/amd-v-technology-and-microsoft-
    • http://www.ubom.com/upload/files/2022/07/tP4rc4hPqnFJPX4oothA_04_b68ac693ab44141b60f19840
    • https://followgrown.com/upload/files/2022/07/wmARiYz7wL9XCjxOFWgl_04_f29157500b91f80bc6b0d
    • https://everyonezone.com/upload/files/2022/07/CrLh6aK1z9tByTmBeT8z_04_f29157500b91f80bc6b0
    • https://scrolllinkupload.s3.amazonaws.com/upload/files/2022/07/vTs4X44zu32p86PuBxWh_04_20c548322254221280df35c51de5b41f_file.pdf
    • https://scrolllinkupload.s3.amazonaws.com/upload/files/2022/07/ppyDhzAfLcLMRrsk7zwF_04_20c548322254221280df35c51de5b41f_file.pdf
    • https://tabsynchcastcu1986.wixsite.com/sletdisnevi/post/vizzy-flash-tracer-crack-free
    • http://www.tcpdf.org
    • https://scrolllinkupload.s3.amazonaws.com/upload/files/2022/07/vTs4X44zu32p86PuBxWh_04_20c54
    • https://scrolllinkupload.s3.amazonaws.com/upload/files/2022/07/ppyDhzAfLcLMRrsk7zwF_04_20c548
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.