Malicious PDF — malware analysis report

Static analysis result for SHA-256 686ad0805eed4362…

MALICIOUS

PDF

11.9 KB Created: 2015-07-15 14:37:47 +04:00 Authoring application: DOMPDF
MD5: 57d5d9d86cde6236fd38f8aec94d2089 SHA-1: 72e63c2b8871852f5bc20fb65e58260ddec9e92c SHA-256: 686ad0805eed4362bc8b8d05998981fb181d913062230f464062aa569c222914
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to external websites, identified by the PDF_SEO_LINK_FARM heuristic. While no specific malicious script was directly executed, the presence of a decompressed JavaScript stream and the sheer volume of outbound links suggest an attempt to manipulate search engine results or redirect users to potentially malicious content. The ML_NYX_PDF_MALICIOUS classifier also flagged this document with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8959

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://photo-file.ru/index.php?article=1574.1&wehsa=1&pdf=1574
    • http://www.pieuvre-electrique-toulousaine.fr/index.php?article=2208.1&otafi=1&pdf=2208
    • http://power-team.cz/index.php?article=375.3&uwbuc=3&pdf=375
    • http://photo-file.ru/index.php?article=813.1&wehsa=1&pdf=813
    • http://www.lifedreams.es/index.php?article=1559.1&isbrk=1&pdf=1559
    • http://photo-file.ru/index.php?article=2298.1&wehsa=1&pdf=2298
    • http://marche-espoir.org/index.php?article=1196.6&xonvf=6&pdf=1196
    • http://gchrismanelectric.com/index.php?article=1188.1&txuhv=1&pdf=1188
    • http://www.mantrabeautybar.ca/index.php?article=2491.1&rukbv=1&pdf=2491
    • http://photo-file.ru/index.php?article=225.1&wehsa=1&pdf=225
    • http://photo-file.ru/index.php?article=192.1&wehsa=1&pdf=192
    • http://photo-file.ru/index.php?article=2206.1&wehsa=1&pdf=2206
    • http://www.fabulaeventos.com.br/index.php?article=2231.1&ipwdu=1&pdf=2231
    • http://photo-file.ru/index.php?article=355.1&wehsa=1&pdf=355
    • http://kemerimalati.com/index.php?article=1382.3&rlrsj=3&pdf=1382
    • http://photo-file.ru/index.php?article=531.1&wehsa=1&pdf=531
    • http://www.kingdomfaithchurch.org/index.php?article=957.1&fksac=1&pdf=957

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off000002fd.js
63981cc1fa749c8372930191c61c081e5d811855f8607c86d9e30da66a21710f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2FD 13055 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.