Malicious PDF — malware analysis report

Static analysis result for SHA-256 583c50e3e09924ec…

MALICIOUS

PDF

12.9 KB Created: 2015-07-15 14:38:22 +04:00 Authoring application: DOMPDF
MD5: 9f1d11c323710bb74f157dbb7becee5b SHA-1: 42c5bc4cc54e8b473467e851daf7dbc367a6ec1e SHA-256: 583c50e3e09924ecab8a7f27de74b1a63e98edc34c96c27ddd289d8ce70414e1
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links pointing to SEO-optimized websites, indicative of a link farm or redirection scheme. The ML classifier also flagged the PDF as malicious. The primary attack pattern involves directing users to these external sites, likely for further exploitation or to serve malicious content. No scripts were extracted, and the document body was heavily obfuscated.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8838

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://photo-file.ru/index.php?article=680.1&wehsa=1&pdf=680
    • http://dhyansuman.com/index.php?article=1561.8&xvanh=8&pdf=1561
    • http://les-zephyrs.com/index.php?article=238.2&ylevy=2&pdf=238
    • http://photo-file.ru/index.php?article=2208.1&wehsa=1&pdf=2208
    • http://www.kingdomfaithchurch.org/index.php?article=789.1&fksac=1&pdf=789
    • http://photo-file.ru/index.php?article=1356.1&wehsa=1&pdf=1356
    • http://www.mantrabeautybar.ca/index.php?article=2209.1&rukbv=1&pdf=2209
    • http://gradespay.com/index.php?article=835.1&cibeh=1&pdf=835
    • http://casarosso.com.tr/index.php?article=1001.1&gdggi=1&pdf=1001
    • http://photo-file.ru/index.php?article=2191.1&wehsa=1&pdf=2191
    • http://photo-file.ru/index.php?article=2286.1&wehsa=1&pdf=2286
    • http://photo-file.ru/index.php?article=1520.1&wehsa=1&pdf=1520
    • http://www.pieuvre-electrique-toulousaine.fr/index.php?article=1346.1&otafi=1&pdf=1346
    • http://photo-file.ru/index.php?article=318.1&wehsa=1&pdf=318
    • http://ehsaasmhs.org/index.php?article=2281.1&qcugi=1&pdf=2281
    • http://photo-file.ru/index.php?article=1115.1&wehsa=1&pdf=1115
    • http://pleasereadbible.com/index.php?article=514.1&ofdkh=1&pdf=514

Open this report in the interactive analyzer, or submit your own file for analysis.