Malicious PDF — malware analysis report

Static analysis result for SHA-256 61068975249fa0c3…

MALICIOUS

PDF

6.7 KB Created: 2015-06-04 18:32:31 +04:00 Authoring application: DOMPDF First seen: 2015-06-09
MD5: 044b5dd4dab5a7a69b3303b804bb1836 SHA-1: 5b66ce95b93bdb55afaf1b726cef8fdbe17e295c SHA-256: 61068975249fa0c33e40b3a5963bc027f5e688736091d607ec924469ced8cb40
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs related to binary options trading, identified as SEO spam. The ML classifier also flagged the document as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the SEO spam heuristic suggest a phishing or malicious redirection attempt, likely delivered as an attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5034

Heuristics 2

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nicholasburgess.com/index.php?wiki/04/06/2015/youraveragego/1+minute+binary+option+strategy.pdf&rospy=2&news=602 In PDF document text
    • http://rafcar24.pl/index.php?wiki/04/06/2015/letizia/binary+option+usa.pdf&fnewq=1&news=2166In PDF document text
    • http://ibizatraining.es/index.php?wiki/04/06/2015/planaltina/binary+option+us.pdf&jansi=1&news=1618In PDF document text
    • http://timfelsky.com/index.php?wiki/04/06/2015/crispwoo/binary+option+model.pdf&fxdgz=1&news=101In PDF document text
    • http://nuhyatsanayi.com/index.php?wiki/04/06/2015/vidgamer/binaryoptionstradingsignals.com+scam.pdf&hktpv=1&news=1847In PDF document text
    • http://www.vanwillegenconsult.nl/index.php?wiki/04/06/2015/themefuse/binary+options+easy.pdf&oxhqf=1&news=1121In PDF document text
    • http://www.supermaraton.eu/index.php?wiki/04/06/2015/housepop/binaryoptionstradingguide.com.pdf&owutp=1&news=sitemapIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.