PDF static analysis report

Static analysis result for SHA-256 956bd263956d7cb6…

SUSPICIOUS

PDF

148.7 KB Created: 2022-06-10 05:40:03 +02:00 Authoring application: saksalt (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 2cb85f8430a4df8f5768a1f737937880 SHA-1: 36a19824ef63a751be0928faa5857e20cc22092a SHA-256: 956bd263956d7cb6d5477599e9c581b797c3dbaa10d7066fed0aa55d946939b6
34 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains heuristics indicating it advertises cracked software, a common lure for malicious documents. It embeds multiple external URLs, one of which is flagged as a potential threat. The primary URL, http://evacdir.com/aptos/balkline/bertha/balconies&goudkov/ZG93bmxvYWR8bnU5TnpsdWNYeDhNVFkxTkRjNE1EZzNPWHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/loyal?Y2FiYWwgZnVqaSB0cmFpbmVyIGZyZWUgZG93bmxvYWQY2F=mansards, is likely used to download a secondary payload. The document body was not sufficiently readable to provide further context.

Machine Learning

  • Nyx PDF Classifier clean score 0.0093

Heuristics 3

  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/aptos/balkline/bertha/balconies&goudkov/ZG93bmxvYWR8bnU5TnpsdWNYeDhNVFkxTkRjNE1EZzNPWHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/loyal?Y2FiYWwgZnVqaSB0cmFpbmVyIGZyZWUgZG93bmxvYWQY2F=mansards PDF link annotation
    • http://www.jbdsnet.com/wp-content/uploads/2022/06/weight_gain_game.pdfIn PDF document text
    • https://gardeners-market.co.uk/advert/iwisoft-free-video-converter-3-4-crack-hot/In PDF document text
    • https://wonderchat.in//upload/files/2022/06/HYrh8nqbMQhJITnhL7jq_10_e0010fe0f23586c060f5766d95ff4e2f_file.pdfIn PDF document text
    • https://www.soroherbaria.org/portal/checklists/checklist.php?clid=89078In PDF document text
    • https://cch2.org/portal/checklists/checklist.php?clid=13245In PDF document text
    • https://csvcoll.org/portal/checklists/checklist.php?clid=19877In PDF document text
    • https://projfutr.org/wp-content/uploads/2022/06/garwan.pdfIn PDF document text
    • https://tecnoviolone.com/wp-content/uploads/2022/06/CyberLink_MediaShow_Ultra_6011330_PreCracked_Edition__Crack.pdfIn PDF document text
    • https://alaquairum.net/elsawinfullpackdownload30/In PDF document text
    • https://ikatmarketing.com/wp-content/uploads/2022/06/Hardware_Graphics_Acceleration_For_Fifa_08_Download_Crack.pdfIn PDF document text
    • https://directory-news.com/wp-content/uploads/2022/06/fritsal.pdfIn PDF document text
    • http://aceite-oliva.online/2022/06/10/de-sacerdote-del-diablo-a-ministro-de-jesucristo-libro-pdfl-repack/In PDF document text
    • https://gogathr.live/upload/files/2022/06/pZAniuuyHDxklON5BqZw_10_e0010fe0f23586c060f5766d95ff4e2f_file.pdfIn PDF document text
    • https://pteridoportal.org/portal/checklists/checklist.php?clid=13477In PDF document text
    • https://sprachennetz.org/advert/astute-graphics-plugins-keygen-best-torrentk/In PDF document text
    • https://www.valenciacfacademyitaly.com/wp-content/uploads/2022/06/rockfab.pdfIn PDF document text
    • https://tonjafifield361f5c.wixsite.com/membmeghbalquatt/post/stronghold-crusader-2-multiplayer-lan-crack-for-crysis-bestIn PDF document text
    • https://networny-social.s3.amazonaws.com/upload/files/2022/06/bgcrNXZ7b37BsICQ5lRD_10_e0010fe0f23586c060f5766d95ff4e2f_file.pdfIn PDF document text
    • https://helcuycanlimasan.wixsite.com/newphcfoutasge/post/opel-navi-cd70-hunIn PDF document text
    • https://serv.biokic.asu.edu/paleo/portal/checklists/checklist.php?clid=5220In PDF document text
    • http://www.tcpdf.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000016d7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16D7 120140 bytes
SHA-256: a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4