Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4668b13566b598b…

MALICIOUS

PDF

129.7 KB Created: 2022-06-30 01:29:43 +02:00 Authoring application: marnaom (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: 7da1c48e0bc7d4afe2cdc728a63ecd10 SHA-1: 30e75bbb45c6b1f056c9d8920cf03c06d429f133 SHA-256: c4668b13566b598bd67830aa17a9bee6493dd0a3e2dd41959c88b71d267588d0
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains a significant number of external links, many of which are SEO-optimized and point to pages offering software cracks. One critical heuristic identified a 'PDF_SEO_LINK_FARM', indicating a deliberate attempt to distribute links. The embedded URLs, such as http://dormister.com/..., suggest a direct download attempt, likely for a second-stage payload. The document body was heavily obfuscated and truncated, preventing a more detailed analysis of its specific lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.0163

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dormister.com/QXV0b0NBRAQXV.creamers.aggressives/degreed.ZG93bmxvYWR8NnhUTjNOdGIzeDhNVFkxTmpVeU1EQTFNSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/jill/milled/muttering
    • https://materiaselezioni.com/wp-content/uploads/2022/06/AutoCAD_Crack__Torrent_completo_del_numero_de_serie_MacWin.pdf
    • https://sportsperformance.directory/wp-content/uploads/2022/06/darwyn.pdf
    • https://www.chiesacristiana.eu/wp-content/uploads/2022/06/AutoCAD-45.pdf
    • https://letsgrowapple.com/connect/upload/files/2022/06/Q2HywnT4GqiM7lPUDyOi_29_d5f9d29bcd7544ed1e442041a435c593_file.pdf
    • http://www.giffa.ru/financeloans/autodesk-autocad-19-1-crack-clave-de-licencia-gratuita-2022/
    • https://ssmecanics.com/autocad-2020-23-1-crack-keygen/
    • https://ryhinmobiliaria.co/wp-content/uploads/2022/06/AutoCAD-53.pdf
    • http://love.pinkjelly.org/upload/files/2022/06/cnvcYtmu122RpLcWuQQm_29_d5f9d29bcd7544ed1e442041a435c593_file.pdf
    • http://3.16.76.74/advert/autodesk-autocad-crack-mac-win-actualizado/
    • https://gembeltraveller.com/autocad-crack-clave-de-licencia-llena-gratis/
    • https://scamfie.com/wp-content/uploads/2022/06/Autodesk_AutoCAD.pdf
    • https://7blix.net/wp-content/uploads/2022/06/AutoCAD-49.pdf
    • https://bromedistrict.com/autocad-version-completa-gratis/
    • http://www.male-blog.com/2022/06/29/autocad-24-0-crack-descargar-3264bit/
    • https://www.didochat.com/upload/files/2022/06/Tgy4CRNbT9lY82iMkPLU_29_d5f9d29bcd7544ed1e442041a435c593_file.pdf
    • https://www.mypolithink.com/advert/autodesk-autocad-2017-21-0-crack-con-keygen-completo/
    • https://vietnamnuoctoi.com/upload/files/2022/06/2uusd891GqaGHOUh1P79_29_b1f3bc4189b4009e6c5ca1da00fdb561_file.pdf
    • https://txuwuca.com/upload/files/2022/06/EtmHK7bReZ2kYTdejo6Y_29_d5f9d29bcd7544ed1e442041a435c593_file.pdf
    • http://pensjonatewa.pl/autocad-2023-24-2-crack-gratis-marzo-2022/
    • https://www.yourlocalmusician.com/wp-content/uploads/2022/06/gincoll.pdf
    • https://materiaselezioni.com/wp-
    • https://letsgrowapple.com/connect/upload/files/2022/06/Q2HywnT4GqiM7lPUDyOi_29_d5f9d29bcd7544ed1e442041a435c59
    • https://www.didochat.com/upload/files/2022/06/Tgy4CRNbT9lY82iMkPLU_29_d5f9d29bcd7544ed1e442041a435c593_file.p
    • https://vietnamnuoctoi.com/upload/files/2022/06/2uusd891GqaGHOUh1P79_29_b1f3bc4189b4009e6c5ca1da00fdb561_file.p
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00002eb6.bin
a217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2EB6 120140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.