Malicious PDF — malware analysis report

Static analysis result for SHA-256 84f43f3f0d321245…

MALICIOUS

PDF

121.8 KB Created: 2022-07-04 06:48:30 +00:00 Authoring application: ualugio (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: a13b0c0c6ab12b10373b91cbe5ef7e00 SHA-1: fab666ff1992b711c2c7083c2136bfdf7db50084 SHA-256: 84f43f3f0d3212452bb34da0635fe80ca63739dcc168441511aae2ec6c01040b
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a large number of external links, many of which are advertised as cracked or pirated software. One of the embedded URLs, http://xtraserp.com/jenny/classmates/ZG93bmxvYWR8dlczWVRJeWRueDhNVFkxTmpnNU1qTTFNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/addtional.ofpa..UERGIFdhdGVybWFyayBQcm8UER, appears to be a lure for downloading a malicious file. The document's structure and content suggest it is part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier clean score 0.0094

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xtraserp.com/jenny/classmates/ZG93bmxvYWR8dlczWVRJeWRueDhNVFkxTmpnNU1qTTFNbng4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/addtional.ofpa..UERGIFdhdGVybWFyayBQcm8UER
    • http://jwmarine.org/my-router-info-crack-incl-product-key-win-mac-latest/
    • https://www.manchuela.wine/wp-content/uploads/2022/07/WCD_Drink_Alarm_Incl_Product_Key.pdf
    • https://lombard-magnet.ru/2022/07/04/storageclouds-me-office-add-in-crack/
    • https://volektravel.com/wp-content/uploads/2022/07/rashcha.pdf
    • http://www.sunnymeadepark.com.au/sites/default/files/webform/osiyule271.pdf
    • https://www.wareham.ma.us/sites/g/files/vyhlif5146/f/uploads/concomfees4.pdf
    • https://www.merexpression.com/upload/files/2022/07/O4cLIWjjgQehw7ej2VF6_04_12e0c304cf1eecdb4d123ad45dfe9f5c_file.pdf
    • https://www.spasvseyarusi.ru/advert/share-stuff-crack-with-serial-key-free-download-latest-2022/
    • https://www.carrolltonutilities.com/system/files/webform/trisqua655.pdf
    • https://www.illuzzzion.com/socialnet/upload/files/2022/07/hoBiojHGkjhYbEQCx3Z4_04_dd552b225ea864c755e913e0c8b36512_file.pdf
    • https://facepager.com/upload/files/2022/07/hoEKJZUw8LAn8W2zq5aV_04_12e0c304cf1eecdb4d123ad45dfe9f5c_file.pdf
    • https://wintermarathon.de/advert/licensecrawler-1-10-crack-torrent-activation-code-free-download/
    • https://greenteam-rds.com/spydefense-crack-3264bit-latest/
    • https://richonline.club/upload/files/2022/07/dBZGj7X1xh1ODvDgM4Hy_04_12e0c304cf1eecdb4d123ad45dfe9f5c_file.pdf
    • https://lannews.net/advert/ledfx-0-10-7-crack/
    • https://www.brightinternships.com/sites/default/files/webform/amilas410.pdf
    • https://markettechnews.com/html-protector-decrypter-crack-free-download-updated-2022/
    • https://nisharma.com/simplexnumerica-2-5-0-0-mac-win/
    • https://versiis.com/38461/excel-xlsx-to-xls-converter-software-crack-with-license-key-free-download-x64-april-2022/
    • https://www.merexpression.com/upload/files/2022/07/O4cLIWjjgQehw7ej2VF6_04_12e0c304cf1eecdb
    • https://www.illuzzzion.com/socialnet/upload/files/2022/07/hoBiojHGkjhYbEQCx3Z4_04_dd552b225ea
    • https://facepager.com/upload/files/2022/07/hoEKJZUw8LAn8W2zq5aV_04_12e0c304cf1eecdb4d123a
    • https://richonline.club/upload/files/2022/07/dBZGj7X1xh1ODvDgM4Hy_04_12e0c304cf1eecdb4d123a
    • https://versiis.com/38461/excel-xlsx-to-xls-converter-software-crack-with-license-key-free-download-
    • https://secureservercdn.net/198.71.233.109/5z3.800.myftpupload.com/wp-content/uploads/2022/07/ferrwen.pdf?time=1656917227
    • http://www.tcpdf.org
    • https://secureservercdn.net/198.71.233.109/5z3.800.myftpupload.com/wp-
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.