Malicious PDF — malware analysis report

Static analysis result for SHA-256 aad45a74ce2f1cc6…

MALICIOUS

PDF

12.3 KB Created: 2015-07-15 14:36:03 +04:00 Authoring application: DOMPDF
MD5: bb390c7efd0f4172f31f3c1b4ee4e083 SHA-1: 8113d268e3c5899015e3b74a73f34ed498ada2f5 SHA-256: aad45a74ce2f1cc6e82d33eba5e27753c31b821e16dbd3ad8802e66539a6be9c
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded URLs pointing to various domains, indicative of a link farm. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior. The ML classifier also identified the PDF as malicious. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine a more specific user-facing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8883

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://photo-file.ru/index.php?article=1647.1&wehsa=1&pdf=1647
    • http://www.masajesmexicali.com/index.php?article=2433.1&pjtcs=1&pdf=2433
    • http://149clean.com/index.php?article=177.2&lkxaf=2&pdf=177
    • http://photo-file.ru/index.php?article=1867.1&wehsa=1&pdf=1867
    • http://dfnotebooks.com.br/index.php?article=683.1&gatis=1&pdf=683
    • http://photo-file.ru/index.php?article=158.1&wehsa=1&pdf=158
    • http://godfer-racing.org/index.php?article=14.6&tihit=6&pdf=14
    • http://www.mantrabeautybar.ca/index.php?article=1624.1&rukbv=1&pdf=1624
    • http://www.faceausoleil.com/index.php?article=1112.2&ipbvv=2&pdf=1112
    • http://photo-file.ru/index.php?article=1115.1&wehsa=1&pdf=1115
    • http://photo-file.ru/index.php?article=560.1&wehsa=1&pdf=560
    • http://photo-file.ru/index.php?article=1535.1&wehsa=1&pdf=1535
    • http://londonfilmandcomiccon.net/index.php?article=969.2&ybtwx=2&pdf=969
    • http://photo-file.ru/index.php?article=1887.1&wehsa=1&pdf=1887
    • http://sennexdesign.com/index.php?article=1421.1&nonzs=1&pdf=1421
    • http://photo-file.ru/index.php?article=1474.1&wehsa=1&pdf=1474
    • http://www.myrlimo.com/index.php?article=2239.1&sqfkb=1&pdf=2239
    • http://www.myrlimo.com/in

Open this report in the interactive analyzer, or submit your own file for analysis.