PDF malware analysis — malicious · a6d6e10da536bb90

MALICIOUS

PDF

4.4 KB Created: 2015-06-03 16:38:44 +03:00 Authoring application: DOMPDF

MD5: c0b575bd9933aad10d1cdab6f4d308dc SHA-1: 7933fdd9cdcdd26dab9fc39c7889dc5e23d10559 SHA-256: a6d6e10da536bb90f9d17a898d507643fecd78cd8dce9d6809a952ae04683f17

90 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs, identified as a PDF SEO link farm. The document body text is filled with keywords related to forex trading, likely to improve search engine ranking and lure unsuspecting users. The primary heuristic indicates a critical finding of a mass external PDF link farm, suggesting the document's purpose is to redirect users to a network of potentially malicious sites. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 0.5320

Heuristics 2

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=403
- http://www.kbb-gesellschaft.de/index.php?2015/ergoarena.pdf&urggv=1&aspx=1771
- http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=1537
- http://www.prequine.com/index.php?2015/torcida.pdf&fcldj=1&aspx=1809
- http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=11
- http://dyrlaegecentret.dk/index.php?2015/typestitch.pdf&hjhle=1&aspx=sitemap

Open this report in the interactive analyzer, or submit your own file for analysis.