Malicious PDF — malware analysis report

Static analysis result for SHA-256 896fcd7ca5dcde09…

MALICIOUS

PDF

79.7 KB Created: 2022-06-13 09:17:47 +02:00 Authoring application: grayfurn (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: fc67195ce02b163cfad7b9afef28f7a0 SHA-1: 253a4a7cd8e2da5b3722f27fef54721805605041 SHA-256: 896fcd7ca5dcde09664fac32f162e246dd47f85804862246b0a3e57e0b42ff28
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or a distribution point for malicious content. The presence of embedded URLs like http://evacdir.com/... further supports the malicious intent. The document body is heavily obfuscated and does not provide clear instructions, but the overall structure points to a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.2181

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/ZG93bmxvYWR8dWQxTVRWM2NUaDhmREUyTlRRNU9Ea3hOako4ZkRJMU9EZDhmQ2hOS1NCSVpYSnZhM1VnVzBaaGMzUWdSMFZPWFE/roof/bouwmeester/computing/subaru/heresy/systolic=aGFycnkgcG90dGVyIHNlcmllcyAxMDgwcCBkdWFsIGF1ZGlvaGF
    • http://feline-nord-picardie.fr/advert/in-naturalibus/
    • http://chatroom.thabigscreen.com:82/upload/files/2022/06/6SWRnZlxbgSA1gZVs1BL_13_ea263f43fcb8e79e07d57a9f98dde395_file.pdf
    • http://www.flexcompany.com.br/flexbook/upload/files/2022/06/cnvr4QLqVfMq3wDmVFbw_13_231476df3ee8e98d51818aeac443a3be_file.pdf
    • https://www.laundryandcleaningtoday.co.uk/advert/windows-7-ultimate-usb-drive-edition-x86-v4b-by-imortaluz-free/
    • https://wocfolx.com/upload/files/2022/06/2ImlBJsuttXTNe62I77s_13_9eff195005bd1bddc250776cc71f491b_file.pdf
    • https://warm-ridge-17347.herokuapp.com/Filmul_Alvin_Si_Veveritele_1_Dublat_In_Romana.pdf
    • https://www.la-pam.nl/zertifikat-b1-neu-pdf-15/
    • https://ozrural.com/index.php/advert/xforce-keygen-64-bit-maya-lt-2009-crack/
    • https://pacific-savannah-80017.herokuapp.com/alcpt_form_1_to_100_Full.pdf
    • https://battlefinity.com/upload/files/2022/06/qMgmVrMFVOs2owPIdyYr_13_231476df3ee8e98d51818aeac443a3be_file.pdf
    • https://one97.online/advert/celebrity-model-escort-in-ghaziabad/
    • https://alumni.armtischool.com/upload/files/2022/06/Dja3oB25qNJZupQ8Yp69_13_7b16895d38160ec7393953bd3ccb0bed_file.pdf
    • https://www.modifind.com/offroad/advert/think-cell-license-key-top-crack/
    • https://onefad.com/i1/upload/files/2022/06/2b2kBAG6cVgg85hi2b1I_13_231476df3ee8e98d51818aeac443a3be_file.pdf
    • https://agile-gorge-96280.herokuapp.com/toppquir.pdf
    • http://networks786.ovh/upload/files/2022/06/RZrnQ2xdAppqqhf2p3hd_13_839eb4ceb03e8fb754d2333126820bdc_file.pdf
    • https://storage.googleapis.com/paloodles/upload/files/2022/06/XX7nHFRBvTnlt8FJfTVo_13_1ba5957d9492d1fd67dcb07d2ff4f595_file.pdf
    • https://www.pedomanindonesia.com/advert/jaane-bhi-do-yaaro-download-movie-torrent/
    • https://otelgazetesi.com/advert/license-key-for-easendmail-tryit-hot/
    • https://circles.nyc3.digitaloceanspaces.com/upload/files/2022/06/7ANQHxTaN83mPRGw6b4c_13_349ac890a251cd2b0200346ebf3977f1_file.pdf
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000df0.bin
a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDF0 120140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.