Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c45dd41b9e33640…

MALICIOUS

PDF

123.3 KB Created: 2022-06-06 17:30:33 +02:00 Authoring application: amavito (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: b738e2be31e52464fce75719597c8ad0 SHA-1: 361ced1eb74b9c6d5ca1743833e51f811e3f87c7 SHA-256: 6c45dd41b9e33640b7158108c3b715b5fa34d8b9b06ac3915da8b5ddb2114afd
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which appear to be part of a link farm designed to obscure the true destination. One prominent URL, http://evacdir.com/semi/appraise/areolae/aspect/atypical/chassagne/dowse=ZG93bmxvYWR8TmY1TW01d05IeDhNVFkxTkRVeU1qRXhNSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA.Ri1TZEJvdARi1, is likely a malicious download or redirect. The presence of a 'download' button lure further supports a malicious intent to trick the user into downloading a payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0098

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/semi/appraise/areolae/aspect/atypical/chassagne/dowse=ZG93bmxvYWR8TmY1TW01d05IeDhNVFkxTkRVeU1qRXhNSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA.Ri1TZEJvdARi1
    • http://petservice.lv/?p=1583
    • https://medkonnet.com/upload/files/2022/06/t1vdotKLsQHNLBpHBQNN_06_9033bbc4cac9059ba79799a4f04a18ad_file.pdf
    • https://www.lichenportal.org/cnalh/checklists/checklist.php?clid=12127
    • https://desifaceup.in/upload/files/2022/06/ZtaZ75hzDOJ6v2ZR7tm8_06_9033bbc4cac9059ba79799a4f04a18ad_file.pdf
    • https://www.extremo.digital/wp-content/uploads/2022/06/AWExtract.pdf
    • https://www.ponuda24.com/cyberlink-powercinema-crack-free-download-latest-2022/
    • https://worlegram.com/upload/files/2022/06/QsoPU76YyXVWQpiNodor_06_9033bbc4cac9059ba79799a4f04a18ad_file.pdf
    • https://midiario.com.mx/upload/files/2022/06/WQyFbvfWTpbCrzFrihFj_06_9033bbc4cac9059ba79799a4f04a18ad_file.pdf
    • http://artti.co/?p=1528
    • http://futureoftheforce.com/2022/06/06/qtrax-crack-with-keygen-latest-2022/
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000201d.bin
a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x201D 120140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.