Malicious PDF — malware analysis report

Static analysis result for SHA-256 438d91804a4efb1a…

MALICIOUS

PDF

11.5 KB Created: 2015-07-15 16:25:19 +04:00 Authoring application: DOMPDF
MD5: 21870bb0b6d29937c754ce0fc658834e SHA-1: f4e69345cf8c9c36ae2aceaa0e6fce8d1a0b25d1 SHA-256: 438d91804a4efb1a5ed9285c97f9fd4be5c77e40facfe443f6566b5c1e0b7528
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, forming a link farm designed to direct users to various websites. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. The embedded URLs are likely part of a SEO spam or phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9282

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chavagnes.com/index.php?article=1811.2&urwbo=2&pdf=1811
    • http://cierzodemontana.com/index.php?article=1216.7&vfjgt=7&pdf=1216
    • http://www.mantrabeautybar.ca/index.php?article=257.1&rukbv=1&pdf=257
    • http://chavagnes.com/index.php?article=2265.2&urwbo=2&pdf=2265
    • http://shoppinga.it/index.php?article=523.1&nznbl=1&pdf=523
    • http://chavagnes.com/index.php?article=2224.2&urwbo=2&pdf=2224
    • http://intelluride.co/index.php?article=1537.1&gdfls=1&pdf=1537
    • http://bmwt.pt/index.php?article=684.2&qvacx=2&pdf=684
    • http://topservices.co.il/index.php?article=8.1&xujqf=1&pdf=8
    • http://chavagnes.com/index.php?article=560.2&urwbo=2&pdf=560
    • http://chavagnes.com/index.php?article=601.2&urwbo=2&pdf=601
    • http://chavagnes.com/index.php?article=1061.2&urwbo=2&pdf=1061
    • http://satarahealthcare.com/index.php?article=605.1&tpoox=1&pdf=605
    • http://chavagnes.com/index.php?article=2431.2&urwbo=2&pdf=2431
    • http://brightworldinfotech.com/index.php?article=767.1&qfqoh=1&pdf=767
    • http://chavagnes.com/index.php?article=876.2&urwbo=2&pdf=876
    • http://alears.lv/index.php?article=2045.2&cqwcy=2&pdf=2045

Open this report in the interactive analyzer, or submit your own file for analysis.