PDF static analysis report

Static analysis result for SHA-256 7b6b2c99f37f70fa…

SUSPICIOUS

PDF

113.6 KB Created: 2022-07-03 14:38:59 +00:00 Authoring application: careyan (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 76d771c1d92262318049885a04128c10 SHA-1: 22e8a63a44870cc310d4c73243f66e85a1b959e8 SHA-256: 7b6b2c99f37f70faa0e35d41fc61b0693877bb7568c1a04b93ee8779a286eea5
34 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded links, one of which is flagged as a 'cracked software lure'. The primary external URI points to a URL that appears to be a downloader for potentially malicious content. While no scripts were explicitly extracted, the PDF structure and embedded URIs suggest an attempt to trick the user into downloading unwanted or malicious software, likely via a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier clean score 0.0187

Heuristics 3

  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seachtop.com/gyrating/RGl2aW5pdHlPcmlnaW5hbFNpbjJEaXZpbmVBc2NlbnNpb25GcmVlRG93bmxvYWRwb3J0YWJsZWVkaXRpb24RGl/turtledoves/landrace&mintage/rive&roly.ZG93bmxvYWR8enI3ZFhWM01IeDhNVFkxTmpjM01UZ3hPSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA PDF link annotation
    • https://www.amphenolalden.com/system/files/webform/faiher542.pdfIn PDF document text
    • https://www.reperiohumancapital.com/system/files/webform/Ghost-hindi-dubbed-full-movie-free-download.pdfIn PDF document text
    • https://mandarinrecruitment.com/system/files/webform/dreamup-1-3-2-1rar.pdfIn PDF document text
    • https://socialpirate.org/upload/files/2022/07/1TaeoP1jwkv1nQj2hnz1_03_39c30e84c4aea6f720635f08ebfa2afa_file.pdfIn PDF document text
    • https://www.hhlacademy.com/advert/handbook-of-nonprescription-drugs-17th-edition-pdf-download-link-full/In PDF document text
    • http://giovanimaestri.com/?p=24276In PDF document text
    • https://www.5etwal.com/the-chinese-pharmacopoeia-2010-english-edition-free-download-hot-mega-2/In PDF document text
    • https://drtherapyplus.com/wp-content/uploads/2022/07/Astro_Vision_Lifesign_Standard_Full_Version_Hacked_With_Crac.pdfIn PDF document text
    • https://fmpconnect.com/wp-content/uploads/2022/07/Usb_Virus_Scan_24_Build_0827_VERIFIED_Full_Serial_Number.pdfIn PDF document text
    • https://www.29chat.com/upload/files/2022/07/1xKXvwrX7n5Q8v71KxQU_03_94574209ccb61841ef0244af64c4a50c_file.pdfIn PDF document text
    • https://elsabioroble.com/wp-content/uploads/2022/07/IDoser_V5_Premium_All_Doses_Download_HOT.pdfIn PDF document text
    • https://divyendurai.com/license-serial-key-norton-internet-security-16-8-3-6-_top_/In PDF document text
    • https://marketstory360.com/news/44162/crack-spectromancer-gathering-of-15-upd/In PDF document text
    • http://infoimmosn.com/?p=14819In PDF document text
    • https://www.newbostonnh.gov/sites/g/files/vyhlif4756/f/uploads/chief_of_operations_ad_final_2022.pdfIn PDF document text
    • https://kramart.com/rocksmith-2014-dlcs-song-pack-v-crack-link/In PDF document text
    • https://www.calinews.pf/advert/dofactory-design-pattern-framework-4-torrent-hot/In PDF document text
    • https://therootbrands.com/wp-content/uploads/2022/07/Zte_Mf190_Mobile_Partner_LINK.pdfIn PDF document text
    • http://escortguate.com/link-download-saints-row-2-highly-compressed/In PDF document text
    • https://secondhandbikes.co.uk/advert/7-wonders-ancient-world-game-crack-full/In PDF document text
    • http://www.tcpdf.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001764.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1764 85004 bytes
SHA-256: 72509ddc9f192dda0052550bb60fb3a63743ef9e16594ac0102e9e01458a123b
font_01_sfnt_off0000a077.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA077 83036 bytes
SHA-256: 6d13e73e85a502a13969f6a5eaecd0b275a0868c045f80b7d64ed55d70678261