Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab970b4ec4576ee8…

MALICIOUS

PDF

126.7 KB Created: 2022-06-30 19:13:09 +02:00 Authoring application: harkalm (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 25baaac785dc307df6d7b0bc5557f240 SHA-1: adb430d257646b9086a939f058ed8c4e27ac1167 SHA-256: ab970b4ec4576ee878547f591f35a591167d8a1107b95c3301ed664b113590a8
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which are disguised as software downloads, indicating a phishing or malware distribution attempt. The heuristic 'PDF_SEO_LINK_FARM' specifically flags the presence of a link farm within the PDF, suggesting an effort to drive traffic to external sites. The embedded URL 'http://awarefinance.com/mackay/cairn/progestins.enteroviruses.ZG93bmxvYWR8V1c3TVc1MGIzeDhNVFkxTmpZd05ESTNOSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA.UGhvdG9zaG9wUGh' is particularly suspicious due to its encoded nature and unusual domain.

Machine Learning

  • Nyx PDF Classifier clean score 0.0156

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://awarefinance.com/mackay/cairn/progestins.enteroviruses.ZG93bmxvYWR8V1c3TVc1MGIzeDhNVFkxTmpZd05ESTNOSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA.UGhvdG9zaG9wUGh
    • http://www.pickupevent.com/?p=28256
    • https://www.cameraitacina.com/en/system/files/webform/feedback/photoshop-2022-version-230_2.pdf
    • https://www.archaeologists.net/sites/default/files/webform/manlsak858.pdf
    • https://blacksocially.com/upload/files/2022/06/egLtqDwWnY1gXgM5MAfn_30_94b483fc28750cdb2434305529bfd04a_file.pdf
    • https://www.thailand-visa-service.com/adobe-photoshop-2022-version-23-1-key-generator-free-download-for-pc-latest.html
    • https://chatinzone.com/upload/files/2022/06/NKrcspihFdBgSTPf4TZB_30_94b483fc28750cdb2434305529bfd04a_file.pdf
    • https://knoxvilledirtdigest.com/wp-content/uploads/2022/06/Adobe_Photoshop_2020_Serial_Key___Free_3264bit_Latest.pdf
    • https://empoweresports.com/wp-content/uploads/2022/06/Adobe_Photoshop_2021_version_22.pdf
    • https://festivaldelamor.org/photoshop-express-activation-free-download-mac-win/
    • https://www.spanko.net/upload/files/2022/06/sWbckHja8LrVFYDmTCXh_30_94b483fc28750cdb2434305529bfd04a_file.pdf
    • https://www.faceauxdragons.com/advert/adobe-photoshop-cs4-crack-with-serial-number-serial-key-x64-final-2022/
    • https://panda-app.de/upload/files/2022/06/wAFKGPbbfBchLsFh1AeT_30_3906f4ebeb5f40bea2b2283c78d3f999_file.pdf
    • https://mylacedboutique.com/photoshop-2022-version-23-1-1-keygen-exe-x64/
    • http://globalliquidatorsllc.com/?p=3244
    • https://www.joycedayton.com/sites/default/files/webform/Adobe-Photoshop-CC-2014.pdf
    • https://arseducation.com/wp-content/uploads/2022/06/daratanj.pdf
    • https://opagac-elearning.org/blog/index.php?entryid=2991
    • https://www.djmsz.com/wp-content/uploads/2022/07/1656609188-c17e78004ffdb98.pdf
    • https://swisshtechnologies.com/adobe-photoshop-2022-version-23-1-1-serial-number-and-product-key-crack-registration-code-mac-win-2022-new/
    • https://emealjobs.nttdata.com/it/system/files/webform/adobe-photoshop-2021-version-225_1.pdf
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00002762.bin
a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2762 120140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.