Malicious PDF — malware analysis report

Static analysis result for SHA-256 5efb898317766468…

MALICIOUS

PDF

124.7 KB Created: 2022-07-04 09:41:47 +00:00 Authoring application: raidjan (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 02dd33c3456006958b4cf721ff26e5a0 SHA-1: ecdad1d3c3dd90ae40b18ad5c220c8019f56d48d SHA-256: 5efb898317766468477ca40b12a70532bf417aa23a414d9687f41ba70135dcc3
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to cracked software. One prominent URL, http://raisengine.com/compusa/gannets/ZG93bmxvYWR8ejZqWlRSMk5ueDhNVFkxTmpnNU1qTTFNbng4TWpVNE4zeDhLRTBwSUVobGNtOXJkU0JiUm1GemRDQkhSVTVk/?extraterrestrial=restorative.RmxhbWURmx.ayurvideic, appears to be a download link for a payload. The heuristic firings indicate a link farm designed to advertise cracked software, suggesting a malicious intent to lure users into downloading potentially harmful files.

Machine Learning

  • Nyx PDF Classifier clean score 0.0139

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://raisengine.com/compusa/gannets/ZG93bmxvYWR8ejZqWlRSMk5ueDhNVFkxTmpnNU1qTTFNbng4TWpVNE4zeDhLRTBwSUVobGNtOXJkU0JiUm1GemRDQkhSVTVk/?extraterrestrial=restorative.RmxhbWURmx.ayurvideic
    • http://stroiportal05.ru/advert/storage-vault-for-pc/
    • https://dogrywka.pl/7-copy-delete-animation-modder-crack-with-registration-code-for-pc/
    • https://www.indoshoot.com/wp-content/uploads/2022/07/Voxengo_MSED.pdf
    • http://www.momshuddle.com/upload/files/2022/07/ttVoYyXmEkoeudKPvWI9_04_5c031d8cc2e1a965f12a81dfa512134e_file.pdf
    • https://iraqidinarforum.com/upload/files/2022/07/XSkH46r9NcyVdGMcSHQ7_04_6936d75f65c7ed1cb099c3a4e79cbc7f_file.pdf
    • https://cycloneispinmop.com/emptydesk-crack-serial-key-free-x64-latest/
    • https://powerful-sea-65297.herokuapp.com/DLL_to_Lib.pdf
    • https://www.novusbio.com/system/files/webform/entnair646.pdf
    • https://cameraitacina.com/en/system/files/webform/feedback/infallsoft-audio-cd-burner.pdf
    • http://www.fuertebazar.com/wp-content/uploads/2022/07/The_Bat_EMailExportTool__Crack_Full_Version_For_PC.pdf
    • https://hookercafe.com/wp-content/uploads/2022/07/George_the_Window_Cleaners_Assistant.pdf
    • https://education.azgovernor.gov/system/files/webform/mytoolsoft-image-resizer.pdf
    • https://awamagazine.info/advert/openrocket-crack-for-windows-2022/
    • https://vegetarentusiast.no/wp-content/uploads/2022/07/GLIntercept.pdf
    • http://www.trabajosfacilespr.com/photoonweb-free-download-april-2022/
    • https://bluesteel.ie/2022/07/04/filmulator-1-0-3-2377-crack-patch-with-serial-key/
    • https://kireeste.com/image-converter-free-3264bit-latest-2022/
    • https://marketstory360.com/news/46264/any-site-searcher-crack-download-pc-windows-april-2022/
    • https://shrouded-plateau-90999.herokuapp.com/ualcass.pdf
    • https://dogrywka.pl/7-copy-delete-animation-modder-crack-with-
    • https://www.indoshoot.com/wp-
    • http://www.momshuddle.com/upload/files/2022/07/ttVoYyXmEkoeudK
    • https://iraqidinarforum.com/upload/files/2022/07/XSkH46r9NcyVdGMc
    • https://cycloneispinmop.com/emptydesk-crack-serial-key-free-
    • https://cameraitacina.com/en/system/files/webform/feedback/infallsoft-
    • http://www.fuertebazar.com/wp-content/uploads/2022/07/The_Bat_EM
    • https://hookercafe.com/wp-
    • https://education.azgovernor.gov/system/files/webform/mytoolsoft-
    • https://vegetarentusiast.no/wp-
    • http://www.trabajosfacilespr.com/photoonweb-free-download-
    • https://bluesteel.ie/2022/07/04/filmulator-1-0-3-2377-crack-patch-with-
    • https://marketstory360.com/news/46264/any-site-searcher-crack-
    • http://www.fuertebazar.com/wp-content/uploads/2022/07/the_bat_emailexporttool__crack_full_version_for_pc.pdf
    • https://carroll96.wixsite.com/egnontise/post/msn-password-recovery-crack-activation-download
    • http://www.tcpdf.org
    • https://carroll96.wixsite.com/egnontise/post/msn-password-recovery-
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.