PDF static analysis report

Static analysis result for SHA-256 c115b16fbef9014e…

SUSPICIOUS

PDF

127.0 KB Created: 2022-06-09 23:17:03 +02:00 Authoring application: misffur (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: af2b86f20ea7eb8b3f4c2969841391f0 SHA-1: 79be9c5c59012ad2388dcb6ae3972658c358bead SHA-256: c115b16fbef9014ea119ff49e44bd3702642f35c98fbc31a0ff54b1498b12e61
34 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple embedded URLs and heuristics indicate it advertises cracked software. The primary URL, http://evacdir.com/comedically.ZG93bmxvYWQgZmlyZWRhYyBkZWxwaGkgeGU0IGNyYWNrZG9?alkaloid=brickyard&coutnry=caracas&fridge=ZG93bmxvYWR8cVU2Wm5GaU1YeDhNVFkxTkRjNE1EYzROM3g4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA&, is likely a download link for a malicious payload. No scripts were extracted, but the document's structure and content strongly suggest a phishing attempt to trick users into downloading malware disguised as cracked software.

Machine Learning

  • Nyx PDF Classifier clean score 0.0280

Heuristics 3

  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/comedically.ZG93bmxvYWQgZmlyZWRhYyBkZWxwaGkgeGU0IGNyYWNrZG9?alkaloid=brickyard&coutnry=caracas&fridge=ZG93bmxvYWR8cVU2Wm5GaU1YeDhNVFkxTkRjNE1EYzROM3g4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA& PDF link annotation
    • https://www.greatescapesdirect.com/2022/06/axisvm-12-full-crack-159-portable/In PDF document text
    • https://anumtechsystems.com/2022/06/09/gta-san-andreas-100-savegame-file-game-hack/In PDF document text
    • https://qflash.es/?p=14597In PDF document text
    • https://juliewedding.com/recoil-game-free-download-full-version-for-pc-crack-sites-new/In PDF document text
    • https://sheltered-headland-40168.herokuapp.com/microsoft_office_14_object_library_download.pdfIn PDF document text
    • https://thefuturegoal.com/upload/files/2022/06/nJKDFb4AggJPggjvrona_09_f6773fb319df5e7c4afe81dcfe73b5ea_file.pdfIn PDF document text
    • https://arcane-scrubland-05504.herokuapp.com/giovjais.pdfIn PDF document text
    • https://motiontoken.tech/upload/files/2022/06/jO4pDe6uUoCbtOPH9hPq_09_f6773fb319df5e7c4afe81dcfe73b5ea_file.pdfIn PDF document text
    • https://feimes.com/telecharger-facehacker-gratuit-sans-adresse/In PDF document text
    • https://www.afrogoatinc.com/upload/files/2022/06/1dxm7F13rC4dwzOAXsPP_09_f6773fb319df5e7c4afe81dcfe73b5ea_file.pdfIn PDF document text
    • http://www.theoldgeneralstorehwy27.com/ntlite-enterprise-1-9-0-7330-with-crack/In PDF document text
    • https://fast-savannah-88696.herokuapp.com/Alone_2007_Thai_Movie_DVDRip.pdfIn PDF document text
    • https://swisshtechnologies.com/omron-cx-supervisor-v3-1-rar/In PDF document text
    • https://kurditi.com/upload/files/2022/06/qgsnoxKNQ1UuZ89pXoju_09_e2594de5f0f6541ccb8c637d52908e6c_file.pdfIn PDF document text
    • https://ctago.org/patched-eset-nod32-antivirus-8-beta-64-bit-serial-key/In PDF document text
    • https://gardeners-market.co.uk/advert/techwell-tw6801-driver/In PDF document text
    • https://queery.org/binkregisterframebuffers8download-hot/In PDF document text
    • https://gentle-fortress-95874.herokuapp.com/blagar.pdfIn PDF document text
    • https://classifieds.safetyexpress.com/advert/werkmaster-titan-xt-grinder/In PDF document text
    • http://sturgeonlakedev.ca/?p=10319In PDF document text
    • http://www.tcpdf.orgIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00001c40.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C40 120352 bytes
SHA-256: b4bd86f369fadf999a1bf3115a95e4b3a5c6df18e51465b5536b0fe5cd402d6c