PDF static analysis report

Static analysis result for SHA-256 83bff4288cd63656…

SUSPICIOUS

PDF

249.6 KB Created: 2022-07-04 09:12:41 +00:00 Authoring application: kaflate (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: b8dffef4bb6a1daf23c39661d7375230 SHA-1: ec86c3266c0dbb66c237c3608470bd11cf5a34ac SHA-256: 83bff4288cd6365634294f2c63fa55d2f6ffb3d32a0542087043b268cce58a99
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple links that advertise cracked software, indicating a lure to trick users into downloading potentially malicious applications. One of the embedded URIs, http://godsearchs.com/archerylinks/army/burggarten.ZG93bmxvYWR8eGM5WkdjMVkzeDhNVFkxTmpnNU1qTTFNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA?U2ltcGxlIFZpZGVvIGNvbXByZXNzb3IU2l=pitch&philosophy=miscarried/, is particularly suspicious and likely serves as a download or redirection point. The presence of a 'PDF_CRACKED_SOFTWARE_LURE' heuristic further supports this assessment.

Machine Learning

  • Nyx PDF Classifier clean score 0.0067

Heuristics 4

  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://godsearchs.com/archerylinks/army/burggarten.ZG93bmxvYWR8eGM5WkdjMVkzeDhNVFkxTmpnNU1qTTFNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA?U2ltcGxlIFZpZGVvIGNvbXByZXNzb3IU2l=pitch&philosophy=miscarried/ PDF link annotation
    • http://mytown247.com/?p=72998In PDF document text
    • https://warm-depths-86196.herokuapp.com/aspwel.pdfIn PDF document text
    • https://verrtise.com/advert/hardware-information-activator-final-2022/In PDF document text
    • http://freemall.jp/note-writer-crack-free-registration-code-free-2022.htmlIn PDF document text
    • https://woodplatform.com/wp-content/uploads/2022/07/Peti.pdfIn PDF document text
    • https://delicatica.ru/2022/07/04/asus-pad-pc-suite-crack-2022/In PDF document text
    • http://tempatrainersguild.com/?p=2513In PDF document text
    • https://www.chiesacristiana.eu/2022/07/04/file-extension-changer-1-3-6-crack-with-key-download-latest-2022/In PDF document text
    • https://www.cameraitacina.com/en/system/files/webform/feedback/hildhall56.pdfIn PDF document text
    • https://lalinea100x100.com/wp-content/uploads/2022/07/Firefox_Password.pdfIn PDF document text
    • http://jameschangcpa.com/advert/our-earth-for-windows-8-crack-product-key-full-for-pc/In PDF document text
    • https://txuwuca.com/upload/files/2022/07/H9dASPk4tHerf59yeehp_04_14ee98bd9cd7472acb65aef0c8aead62_file.pdfIn PDF document text
    • https://nisharma.com/shicks-crack-free-registration-code-3264bit-latest/In PDF document text
    • https://endlessflyt.com/ms-word-business-brochure-template-software-crack-with-product-key/In PDF document text
    • http://gastro-professional.rs/food/soundcleod-crack-incl-product-key-download-updated-2022/In PDF document text
    • https://www.travelrr.com/7zipsilencer-crack-free-2022-latest/In PDF document text
    • https://beautysecretskincarespa.com/2022/07/04/menulab-discussion/In PDF document text
    • https://boiling-bastion-76873.herokuapp.com/VeryPDF_Screen_OCR.pdfIn PDF document text
    • https://ipayif.com/upload/files/2022/07/Xacroj3GHLw3fhq6sUX4_04_14ee98bd9cd7472acb65aef0c8aead62_file.pdfIn PDF document text
    • http://applebe.ru/2022/07/04/library-net-free-note-edition-crack-win-mac/In PDF document text
    • https://txuwuca.com/upload/files/2022/07/H9dASPk4tHerf59yeehp_04_14ee98bd9cd7472acb65aef0c8aead62_fileIn PDF document text
    • https://ipayif.com/upload/files/2022/07/Xacroj3GHLw3fhq6sUX4_04_14ee98bd9cd7472acb65aef0c8aead62_file.pdIn PDF document text
    • http://www.tcpdf.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002814.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2814 84640 bytes
SHA-256: 5469d87e49db2e9b2bbbf73ce09eff790bdd1f43cfcf051a1c71c445cc3e337a
font_01_sfnt_off0000b06b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB06B 83036 bytes
SHA-256: 6d13e73e85a502a13969f6a5eaecd0b275a0868c045f80b7d64ed55d70678261