Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ce2133b7b23d2a7…

MALICIOUS

PDF

134.1 KB Created: 2022-06-08 01:58:34 +02:00 Authoring application: monjan (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 9986e4bed649cddf2f735cf3bda2c4d0 SHA-1: 7dc02d0c1ac94169e1b68916eb8932c9bc267545 SHA-256: 5ce2133b7b23d2a76e4dfb8bc8e793d4ffb2f9ff47eaa15f85371484f96e02b1
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, many of which point to other PDF files advertising cracked software. One embedded URL, http://evacdir.com/ambition/mcginnity/cathy.fatale/midsentence/..., likely serves as a download or redirection point for malicious payloads. The presence of a "download button" lure further supports a malicious intent to trick users into downloading unwanted software.

Machine Learning

  • Nyx PDF Classifier clean score 0.0167

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/ambition/mcginnity/cathy.fatale/midsentence/?ZG93bmxvYWR8VVQzTVhOdU5YeDhNVFkxTkRZME16TTFNSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA.sunand=Rmxvb3B5Rmx
    • https://diontalent.nl/wp-content/uploads/2022/06/maurmarc.pdf
    • https://liquidonetransfer.com.mx/?p=4091
    • https://farmaciacortesi.it/eudora-password-recovery-crack-license-keygen/
    • https://www.realteqs.com/teqsplus/upload/files/2022/06/xih3q9yFh9Mzn7uPQuuR_07_aa351dbb86aeba740b7ada7872e5629a_file.pdf
    • https://isispharma-kw.com/tfs-test-plan-migration-tool-crack-activation-code-with-keygen-free/
    • https://aqary.co/wp-content/uploads/2022/06/AudioRelay_Incl_Product_Key_Free_PCWindows.pdf
    • https://www.nosnitches.com/upload/files/2022/06/ewnmKAfZRVPJcHEl6Ynh_07_aa351dbb86aeba740b7ada7872e5629a_file.pdf
    • https://sfinancialsolutions.com/wp-content/uploads/2022/06/ginjhaw.pdf
    • https://undergroundfrequency.com/upload/files/2022/06/NV8YcZMSEgkfEiWAWXTQ_07_962189d0ad110d7f33cff11113a270c9_file.pdf
    • https://www.midwestherbaria.org/portal/checklists/checklist.php?clid=70201
    • https://volospress.gr/advert/flagfox-for-firefox-crack-with-registration-code-2022/
    • https://midwestherbaria.org/portal/checklists/checklist.php?clid=70200
    • http://www.barberlife.com/upload/files/2022/06/HXQNWRU5Pm9u9EuaJyME_07_962189d0ad110d7f33cff11113a270c9_file.pdf
    • https://progressivehealthcareindia.com/2022/06/07/iskysoft-data-recovery-crack-mac-win/
    • https://elsaltodeconsciencia.com/wp-content/uploads/2022/06/SysTools_SQLite_Database_Recovery.pdf
    • https://allsporters.com/upload/files/2022/06/YCAhY9pYufACcl2rQCrG_07_962189d0ad110d7f33cff11113a270c9_file.pdf
    • https://bymariahaugland.com/wp-content/uploads/2022/06/dBpowerAMP_Music_Converter.pdf
    • https://www.realteqs.com/teqsplus/upload/files/2022/06/xih3q9yFh9Mzn7uPQuuR_07_aa351dbb86aeba740b7ada7872e5629a
    • https://www.nosnitches.com/upload/files/2022/06/ewnmKAfZRVPJcHEl6Ynh_07_aa351dbb86aeba740b7ada7872e5629a_file
    • https://undergroundfrequency.com/upload/files/2022/06/NV8YcZMSEgkfEiWAWXTQ_07_962189d0ad110d7f33cff11113a2
    • http://www.barberlife.com/upload/files/2022/06/HXQNWRU5Pm9u9EuaJyME_07_962189d0ad110d7f33cff11113a270c9_fil
    • https://aqary.co/wp-content/uploads/2022/06/audiorelay_incl_product_key_free_pcwindows.pdf
    • https://spacezozion.nyc3.digitaloceanspaces.com/upload/files/2022/06/OVcYFkS1zJcE5qaNxl8b_07_aa351dbb86aeba740b7ada7872e5629a_file.pdf
    • https://monarch.calacademy.org/checklists/checklist.php?clid=4661
    • https://tiocosetotufubasfe.wixsite.com/conshisgeoli/post/wifi-qr-code-scanner-4-1-00-026-crack-free-pc-windows-latest
    • http://www.tcpdf.org
    • https://spacezozion.nyc3.digitaloceanspaces.com/upload/files/2022/06/OVcYFkS1zJcE5qaNxl8b_07_aa351dbb86aeba740b7ad
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00002a21.bin
a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A21 120140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.