Malicious PDF — malware analysis report

Static analysis result for SHA-256 acde92cb05a2d366…

MALICIOUS

PDF

124.2 KB Created: 2022-07-08 03:20:13 +00:00 Authoring application: chemarg (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 33c45006b42dc4764670e97c51fab000 SHA-1: 1f936906bf68202e111aebde6654f68e10cae61f SHA-256: acde92cb05a2d366d3569a04244f35d25a4f3100ab7b977f496a9a70b3eec458
144 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566 Phishing

The PDF document contains a large number of external links, many of which appear to be SEO-optimized for search engines, suggesting a link farm. One heuristic specifically identifies a "Password-protected archive handoff," indicating the document's likely purpose is to trick the user into downloading a password-protected file. The embedded URLs likely lead to malicious payloads or further phishing attempts.

Machine Learning

  • Nyx PDF Classifier clean score 0.0054

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dawnloadonline.com/ZG93bmxvYWR8OFVjWkhwdGFIeDhNVFkxTnpFNE5qazFOWHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/schulman.adaptive/bopper.doens/atypy.TGJwODEwIFIxMTAgVjExMCBXaW4gWDY0IEVuIDdleGUgNDATGJ.paratroops
    • https://domainmeans.com/buddha-dll-download-fixed-for-hitman-absolution/
    • http://slimancity.com/upload/files/2022/07/pY1i9zpi3xiKS3Kf5L9o_08_9892d9e78eaf39b7ae1e820c60845f7f_file.pdf
    • https://ictlife.vn/upload/files/2022/07/RCsfSZxJlpj1ftsqRcEo_08_3807c7bd66b7ae3e230f81f74e3b7028_file.pdf
    • https://greengrovecbd.com/blog/electromagnetic-fields-wangsness-solution-manual-2021/
    • https://oknit.ru/wp-content/uploads/2022/07/Knjiga_Zavoli_Bolest_Svoju_Pdf_Download16_LINK.pdf
    • https://thecryptobee.com/bleach-circle-eden-mayuri-6-12/
    • https://mandarinrecruitment.com/system/files/webform/kaumanf791.pdf
    • http://classacteventseurope.com/wp-content/uploads/2022/07/free_download_torrent_for_Special_26_movie_in_hindi_720p-1.pdf
    • https://www.voyavel.it/duke-nukem-forever-trainer-razor-1911-keygen-new/
    • https://www.promorapid.com/upload/files/2022/07/icTAhM1MqSZmHpPoCzXB_08_3807c7bd66b7ae3e230f81f74e3b7028_file.pdf
    • http://www.bayislistings.com/vueminder-calendar-ultimate-2018-00-portable-high-quality-keygen/
    • https://ja-zum-leben.de/wp-content/uploads/2022/07/xylwall.pdf
    • https://dokilink.com/sites/dokilink.com/files/webform/arin/truepiano-194-keygen.pdf
    • https://www.nextiainfissi.it/2022/07/08/rebarcad-v9-01-top-keygen/
    • https://delcohempco.com/2022/07/07/ls-magazine-issue-14-everything-about-me-set-torrent-download-verified/
    • https://matecumberesort.net/wp-content/uploads/2022/07/Heropanti_Movie_Download_In_Hd_1080p_BEST.pdf
    • https://chatbook.pk/upload/files/2022/07/KcWUiMDJuacIyXjfKQRh_08_3b6d40640a62619d2254135e83abeb11_file.pdf
    • https://h-stop.com/wp-content/uploads/2022/07/Cara_Membuka_Password_Rar_Dengan_Cmd.pdf
    • https://heidylu.com/orient-bear-rasim-14/
    • http://slimancity.com/upload/files/2022/07/pY1i9zpi3xiKS3Kf5L9o_08_9892d9e78eaf39b7ae1e820c60
    • https://ictlife.vn/upload/files/2022/07/RCsfSZxJlpj1ftsqRcEo_08_3807c7bd66b7ae3e230f81f74e3b702
    • http://classacteventseurope.com/wp-
    • https://www.promorapid.com/upload/files/2022/07/icTAhM1MqSZmHpPoCzXB_08_3807c7bd66b7ae3
    • https://delcohempco.com/2022/07/07/ls-magazine-issue-14-everything-about-me-set-torrent-
    • https://matecumberesort.net/wp-
    • https://chatbook.pk/upload/files/2022/07/KcWUiMDJuacIyXjfKQRh_08_3b6d40640a62619d2254135e8
    • https://heidylu.co
    • https://trello.com/c/2g4ALCY9/139-selvicoltura-generale-piussi-pdf-download-fixed
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.