Malicious PDF — malware analysis report

Static analysis result for SHA-256 707470be7ae9af64…

MALICIOUS

PDF

4.5 KB Created: 2015-06-03 16:37:33 +03:00 Authoring application: DOMPDF
MD5: 046e0ca2497649e83eb6c00039d5fe37 SHA-1: 0592b01f2c11abe90b2160e4f36309968299a7ba SHA-256: 707470be7ae9af64bc4012f7252256d3e6ca27bc9a0573b13153d88cfa6f5d8d
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1190 Exploit Public-Facing Application

The PDF contains a large number of embedded URLs pointing to external PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier also flagged the document as malicious. The embedded URLs are likely used to manipulate search engine rankings or to host malicious content, potentially leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5262

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=150
    • http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=1987
    • http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=1613
    • http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=2213
    • http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=2248
    • http://dyrlaegecentret.dk/index.php?2015/typestitch.pdf&hjhle=1&aspx=sitemap

Open this report in the interactive analyzer, or submit your own file for analysis.