Malicious PDF — malware analysis report

Static analysis result for SHA-256 60e42448ffc3074e…

MALICIOUS

PDF

113.2 KB Created: 2022-07-08 04:58:48 +00:00 Authoring application: lyondar (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: b01469d8b8ab9fec84d5f8947b8c3e70 SHA-1: 9511deb4f24603acd886cf3f35b27e983973fc4e SHA-256: 60e42448ffc3074e1477a637ecdf424c1c47cd7767ef42cb31bc9029ffd10c07
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, many of which appear to be SEO-optimized to lure users. One prominent URL, http://signforcover.com/ZG93bmxvYWR8c204WjJGdVkzeDhNVFkxTnpFNE5qazFOWHg4TWpVNE4zeDhLRTBwSUVobGNtOXJkU0JiUm1GemRDQkhSVTVk/ananga.flite?ogallala=YmFjYSBrb21payBrdW5nZnUgYm95IGZ1bGwgdmVyc2lvbgYmF&magnanimity, likely serves as a download or redirect to a malicious payload. The presence of numerous PDF links suggests an attempt to distribute further malicious content or engage in link farming.

Machine Learning

  • Nyx PDF Classifier clean score 0.0169

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://signforcover.com/ZG93bmxvYWR8c204WjJGdVkzeDhNVFkxTnpFNE5qazFOWHg4TWpVNE4zeDhLRTBwSUVobGNtOXJkU0JiUm1GemRDQkhSVTVk/ananga.flite?ogallala=YmFjYSBrb21payBrdW5nZnUgYm95IGZ1bGwgdmVyc2lvbgYmF&magnanimity
    • https://smarthippo.org/wp-content/uploads/2022/07/Gta_Vice_City_Ultimate_Keysdatrar.pdf
    • https://awamagazine.info/advert/gba-emulator-62-roms-skidrow-reloaded-__link__/
    • https://smish.me/wp-content/uploads/2022/07/proxmox_vps_for_whmcs_47.pdf
    • https://www.townofholliston.us/sites/g/files/vyhlif706/f/uploads/town_department_office_hours.pdf
    • http://www.barberlife.com/upload/files/2022/07/jSEg3YPxkZaHibY5WJTo_08_be01b98b074106c13e316468a11ee610_file.pdf
    • https://vietnammototours.com/wp-content/uploads/2022/07/hellavy.pdf
    • http://moonreaderman.com/om-namah-shivay-tv-serial-title-song-_verified_-free-download/
    • http://galaxy7music.com/?p=52843
    • http://cyclades.in/en/?p=97703
    • https://adarsi.org/cursos/blog/index.php?entryid=3750
    • https://young-ocean-11414.herokuapp.com/template_buku_tahunan.pdf
    • https://www.brookfield.k12.ct.us/sites/g/files/vyhlif4196/f/pages/advocacy_letter_from_brookfield_public_schools.pdf
    • http://goldeneagleauction.com/?p=48948
    • http://meowmeowcraft.com/2022/07/08/shader-model-5-0-verified-free-download-rar/
    • http://fabianozan.com/?p=10098
    • https://studiolegalefiorucci.it/2022/07/08/marine-park-empire-high-quality-download-utorrent/
    • http://imeanclub.com/?p=79321
    • https://stompster.com/upload/files/2022/07/FFA2P8EsgnShltsm4k1D_08_f72e18e88136b4ed46ee6c9bc759b4eb_file.pdf
    • https://secureservercdn.net/160.153.138.105/7be.830.myftpupload.com/wp-content/uploads/2022/07/harlzave.pdf?time=1657256021
    • https://wakelet.com/wake/TDmN1WKqoAIBwA5Ar63WD
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.