MALICIOUS
66
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF contains a large number of external links, including a specific heuristic firing for a 'PDF_SEO_LINK_FARM'. One of the embedded URIs, http://evacdir.com/, is flagged as suspicious. The presence of a remote GoTo action further suggests an attempt to redirect the user to potentially malicious content. The document body is heavily obfuscated and does not provide clear textual lures.
Machine Learning
- Nyx PDF Classifier clean score 0.0097
Heuristics 4
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Remote GoTo action info PDF_GOTO_REMOTEPDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://evacdir.com/?residence=ZG93bmxvYWR8T3gzTm01dWRIeDhNVFkxTkRZME16TTFNSHg4TWpVM05IeDhLRTBwSUhKbFlXUXRZbXh2WnlCYlJtRnpkQ0JIUlU1ZA/QWNyb25pcyBEaXNrIERpcmVjdG9yQWN/adsm/breakfast/compromised.embody=fictitious
- http://escortguate.com/?p=7248
- https://desifaceup.in/upload/files/2022/06/bLKKf9O1GyNS91rnG7O6_08_534576ae8cad7c2cb0b5025cbb9cd974_file.pdf
- https://coolbreezebeverages.com/vistauacmaker-crack-product-key-full-updated-2022/
- https://croatiansincleveland.com/wp-content/uploads/2022/06/AL_Video_Converter.pdf
- http://gateofworld.net/instant-sleep-crack-mac-win/
- https://tuacar.pt/mobilesync-inspect-crack-free-download/
- https://travelvee.com/wp-content/uploads/2022/06/Jalasoft_SNMP_Device_Simulator.pdf
- https://gardeners-market.co.uk/advert/world-machine-basic-edition-crack-for-windows/
- https://www.mrfoodis.de/wp-content/uploads/2022/06/vlabis.pdf
- http://www.pfht.org/advert/signallab-vc-crack-license-key-mac-win-2022/
- https://chgeol.org/connectionmonitor-free-x64-latest/
- https://yemensouq.com/wp-content/uploads/2022/06/lautioa.pdf
- https://concourse-pharmacy.com/2022/06/08/pictrix-resize-crack-activation-key-x64/
- https://gardenlocked.com/upload/files/2022/06/OilOG67untMMIgSbXdny_08_534576ae8cad7c2cb0b5025cbb9cd974_file.pdf
- https://www.jesusnanak.com/upload/files/2022/06/i52fgMVWdK2ibDRcP6rt_08_534576ae8cad7c2cb0b5025cbb9cd974_file.pdf
- https://wwexllc.com/wp-content/uploads/2022/06/ViewerFX_For_Crystal_Reports_Crack.pdf
- https://tcgworldwide.org/uncategorized/nikita-folder-icon-crack/
- http://kwan-amulet.com/wp-content/uploads/2022/06/USGS_DEM_File_Reader__Crack__Download_2022.pdf
- https://goodshape.s3.amazonaws.com/upload/files/2022/06/VmRtOE6Yck3xYKSsQQKQ_08_534576ae8cad7c2cb0b5025cbb9cd974_file.pdf
- http://www.tcpdf.org
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.aiim.org/pdfa/ns/extension/
- http://www.aiim.org/pdfa/ns/schema#
- http://www.aiim.org/pdfa/ns/property#
- http://www.aiim.org/pdfa/ns/id/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_004_off00002b0b.bina217f12862e0ff75203bdd4136ca0d68471050be46bb09aed5306898926ffdd4 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2B0B | 120140 bytes |
stream_011_off0001cc4b.bindf221e87b81d1531cafdadb6c09a602e9f604d1baf0a17bbd350cbb83baa06f7 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1CC4B | 119072 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.