Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f52e69a7a8696f4…

MALICIOUS

PDF

11.1 KB Created: 2015-07-14 19:45:40 +03:00 Authoring application: DOMPDF
MD5: 57c84b5f69008a87457e9630a876983f SHA-1: dd1ff9a5815ae68df7b051ba505146df51f74294 SHA-256: 8f52e69a7a8696f46b772d1e842fd2f6f8572f8e32511880c382be505cd6aee4
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though partially obfuscated, also contains these links and mentions financial topics like 'nifty options' and 'options trading', suggesting a lure to financial-related content. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves directing the user to external websites through these numerous links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9317

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cmpartners.com.au/index.php?article=2202.1&vhbyw=1&pdf=2202
    • http://labidikm.com/index.php?article=854.12&luodk=12&pdf=854
    • http://360mediagrouponline.com/index.php?article=1528.7&pseww=7&pdf=1528
    • http://www.cmpartners.com.au/index.php?article=443.1&vhbyw=1&pdf=443
    • http://ve-klub.dk/index.php?article=1713.2&fducl=2&pdf=1713
    • http://www.cmpartners.com.au/index.php?article=853.1&vhbyw=1&pdf=853
    • http://kissifer.gr/index.php?article=151.3&rokhv=3&pdf=151
    • http://dafworld.com/index.php?article=1091.3&wnwop=3&pdf=1091
    • http://my-event.gr/index.php?article=1753.3&fhxoe=3&pdf=1753
    • http://www.cmpartners.com.au/index.php?article=1881.1&vhbyw=1&pdf=1881
    • http://www.cmpartners.com.au/index.php?article=670.1&vhbyw=1&pdf=670
    • http://www.cmpartners.com.au/index.php?article=2014.1&vhbyw=1&pdf=2014
    • http://ten2one.com.au/index.php?article=64.2&fviok=2&pdf=64
    • http://www.cmpartners.com.au/index.php?article=2084.1&vhbyw=1&pdf=2084
    • http://www.bordelly.com/index.php?article=4.2&sxtox=2&pdf=4
    • http://www.cmpartners.com.au/index.php?article=527.1&vhbyw=1&pdf=527
    • http://ilkeyapi.com.tr/index.php?article=1419.3&cusnw=3&pdf=1419

Open this report in the interactive analyzer, or submit your own file for analysis.