Malicious PDF — malware analysis report

Static analysis result for SHA-256 e69bd2153cf28862…

MALICIOUS

PDF

136.7 KB Created: 2022-06-10 05:35:38 +02:00 Authoring application: halihali (via PDF Master 1.0.1) First seen: 2022-07-15
MD5: b69a4c7724394a0ec9bad02c64511da0 SHA-1: 1c52d9f4f8310b758e9f4bef5bd42802ec66bea9 SHA-256: e69bd2153cf28862ac7293ed6ab664a27025c9d76ce617d74b6adddf28bba1d6
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, a technique often used to distribute malware or facilitate phishing attacks. One heuristic specifically identified a 'mass external PDF link farm', suggesting the document's primary purpose is to redirect users to other potentially malicious PDF files. The presence of a 'Password-protected archive handoff' heuristic further indicates that the document may be part of a multi-stage attack designed to bypass security gateways.

Machine Learning

  • Nyx PDF Classifier clean score 0.0115

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://evacdir.com/ZG93bmxvYWR8aVYzTnpObE5YeDhNVFkxTkRjNE1EZzNPWHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/vampire/RmFudGFNb3JwaCBEZWx1eGUgNS4yLjcgS2V5Z2VuIDY0IGJpdARmF/?busboy=sexy.scooby
    • http://www.ecomsrl.it/wp-content/uploads/2022/06/TUMBLR__Albums_Shared_Files_Vlog__Blogs.pdf
    • https://terapeutas.shop/wp-content/uploads/2022/06/Debut_Video_Capture_545_Crack_2020_With_Serial_Keys.pdf
    • https://foame.org/?p=6294
    • http://www.studiofratini.com/igo-primo-2-4-europe-windows-ce-torrent-2/
    • http://humlog.social/upload/files/2022/06/LwSWDOW3Y5s4rRnsts4w_10_2a2dc56e3b7a70635e17b5eecef750f8_file.pdf
    • https://www.elcanobeer.com/wp-content/uploads/2022/06/uncharted_3_pc_winrar_passwordrar.pdf
    • http://volektravel.com/?p=12085
    • https://beautyprosnearme.com/annabelle-creation-english-full-movie-in-hindi-hd-720p/
    • https://luxesalon.ie/2022/06/10/beljar-melodi-gitar-ebook/
    • https://www.5etwal.com/wp-content/uploads/2022/06/RNS_510_UPDATE_UPDATE_Update.pdf
    • https://www.cheddrbox.com/upload/files/2022/06/1iT26XExHRp39PgWKcML_10_2a2dc56e3b7a70635e17b5eecef750f8_file.pdf
    • https://www.palpodia.com/upload/files/2022/06/Bi1KXLmdp2GCYGSJKEOq_10_2a2dc56e3b7a70635e17b5eecef750f8_file.pdf
    • https://flxescorts.com/torrent-work-download-autocad-lt-2016/
    • http://chatroom.thabigscreen.com:82/upload/files/2022/06/lJMUk1xM4rJvvRGXc8ln_10_2a2dc56e3b7a70635e17b5eecef750f8_file.pdf
    • https://www.uniting.zone/upload/files/2022/06/JwFGX2MmQyh6UwvSCdAN_10_2a2dc56e3b7a70635e17b5eecef750f8_file.pdf
    • https://xn--wo-6ja.com/upload/files/2022/06/2lw4x9XD2g6lsbw6AY9H_10_2a2dc56e3b7a70635e17b5eecef750f8_file.pdf
    • https://recreovirales.com/wp-content/uploads/2022/06/Vectric_Aspire_3d_Clipart_Torrent.pdf
    • https://corporateegg.com/dci-tml-ismail-font-free-download/
    • https://wakelet.com/wake/o7HqRktJd4jTQqX4nBGTf
    • https://wakelet.com/wake/46Bt1DqPq9oaBq-Jzz_m7
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000128e.bin
20096f0dbf82c199be9ceadc2a6e39daa39eb9adccc6c2ffb9769d7bab84b045		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x128E 121912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.