Malicious PDF — malware analysis report

Static analysis result for SHA-256 99ef5415c29f181c…

MALICIOUS

PDF

145.0 KB Created: 2022-06-10 05:23:30 +02:00 Authoring application: elbemak (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 5677f4cde7b186ca3dbf008f12e01370 SHA-1: d096c3118748c9afcef2152d3037177ed1a9a27d SHA-256: 99ef5415c29f181c6c6232ed64b94e6f99bf19a6fbcbf11017aa271191ab0a13
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF document contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. One of the primary external URIs, http://evacdir.com/..., is suspicious and likely leads to a malicious download or phishing page. The document body is heavily obfuscated and does not provide clear textual lures, but the presence of numerous external links points towards a delivery mechanism for further malicious content.

Machine Learning

  • Nyx PDF Classifier clean score 0.0112

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/bmZwYSA0OTcgcGRmIGZyZWUgZG93bmxvYWQbmZ/ZG93bmxvYWR8RTlrTm01MmEzeDhNVFkxTkRjNE1EZzNPWHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA.adorns?&helminthic=holstering&descision=neeps
    • https://madreandiscovery.org/fauna/checklists/checklist.php?clid=19810
    • https://bestoffers-online.com/wp-content/uploads/2022/06/Sound_Forge_Pro_11_Serial_Number_Crack_Keygen_Download_LINK.pdf
    • https://sharingourwealth.com/social/upload/files/2022/06/tYhuuDYIEc9vcvgujrM7_10_fe7725d4f0a046c574492b4c63a6c1fe_file.pdf
    • https://flaxandthimble.com/wp-content/uploads/2022/06/haydelli.pdf
    • https://www.waefler-hufbeschlag.ch/wp-content/uploads/2022/06/Ontrack_EasyRecovery_Professional_V61202_RH_Keygen.pdf
    • https://allthingsblingmiami.com/?p=28575
    • https://travelfamilynetwork.com/wp-content/uploads/2022/06/Bitwar_IPhone_Data_Recovery_LINK.pdf
    • https://pneuscar-raposo.com/eacricket07strokevariationpatchv12/
    • https://thenationalreporterng.com/acronis-true-image-2017-20-0-build-8053-activator-crack/
    • https://logocraticacademy.org/windows-kms-activator-ultimate-2019-4-9-latest/
    • https://www.habkorea.net/wp-content/uploads/2022/06/Artlantis_studio_418_64_bit_crack.pdf
    • https://www.latablademultiplicar.com/?p=3362
    • https://arseducation.com/ateilla-professional-id-card-maker/
    • https://www.grenobletrail.fr/wp-content/uploads/2022/06/sakumart.pdf
    • https://sokhanedoost.com/fastgsm-bcm-flasher-10033-mediafire-fixed-free-17/
    • https://social.arpaclick.com/upload/files/2022/06/CEZGIv9ucemLtqWIMqW3_10_1019e1ca54f91124583d52d2f7528785_file.pdf
    • https://www.iroschool.org/wp-content/uploads/2022/06/KaraokeKanta_7_0_Crack_Full_Version.pdf
    • https://www.campingcar.ch/advert/panda-dome-premium-18-upd-crack/
    • https://undergroundfrequency.com/upload/files/2022/06/G6q3cENs1OYC9C2neEXf_10_fe7725d4f0a046c574492b4c63a6c1fe_file.pdf
    • https://bestoffers-online.com/wp-
    • https://sharingourwealth.com/social/upload/files/2022/06/tYhuuDYIEc9vcvgujrM7_10_fe7725d4f0a046c574492b4c63a6
    • https://www.waefler-hufbeschlag.ch/wp-
    • https://social.arpaclick.com/upload/files/2022/06/CEZGIv9ucemLtqWIMqW3_10_1019e1ca54f91124583d52d2f752878
    • https://undergroundfrequency.com/upload/files/2022/06/G6q3cENs1OYC9C2neEXf_10_fe7725d4f0a046c574492b4c63
    • https://fiverryourparty.wpcomstaging.com/wp-content/uploads/2022/06/yalikeig.pdf
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000196f.bin
a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x196F 120140 bytes
stream_009_off0001ba93.bin
df221e87b81d1531cafdadb6c09a602e9f604d1baf0a17bbd350cbb83baa06f7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BA93 119072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.