PDF static analysis report

Static analysis result for SHA-256 74696908d6cd1c7b…

CLEAN

PDF

5.0 KB Created: 2015-06-02 18:10:32 Authoring application: HTML2FPDF >> http://html2fpdf.sf.net (via FPDF 1.52) First seen: 2015-07-16
MD5: 6eeeff1f4462482ce4dff6f1fc9c5214 SHA-1: 27f1f5a1e74556396e511c26b167f628aea5cfbe SHA-256: 74696908d6cd1c7b896be66cbae10c088a5c6fd0290e9f4359c524316bb57d83
12 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and external URIs pointing to domains that appear to be hosting potentially malicious content. The document body discusses pharmaceuticals like Viagra, suggesting a lure for phishing or a scam. The embedded JavaScript and external URIs are indicative of an attempt to redirect the user to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier clean score 0.0098

Heuristics 3

  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.samfab.com/Scripts/js/pdf.php/use-of-viagra-in-women.pdf PDF link annotation
    • http://www.samfab.com/Scripts/js/pdf.php/prednisone-polyuria.pdfIn PDF document text
    • http://logerenbijvlamingen.com/propecia-active-caavoiuzeuxf-ingredient/In PDF document text
    • http://html2fpdf.sf.net)/CreationDateIn PDF document text
    • http://html2fpdf.sf.netIn PDF document text
🗂 Part of campaign: sf.net 56 samples