PDF static analysis report

Static analysis result for SHA-256 b100da729a951775…

SUSPICIOUS

PDF

5.4 KB Created: 2015-06-04 00:03:24 Authoring application: HTML2FPDF >> http://html2fpdf.sf.net (via FPDF 1.52) First seen: 2015-07-16
MD5: 2ddc4294117f33fac6be290e0d4c09e9 SHA-1: f29861f4126123b4d8c1c88c07cdd51a7cd17860 SHA-256: b100da729a95177571269385636493de89c3a1bee292795e13389df5df5f7cb0
40 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains embedded JavaScript and multiple external URIs. The document body text is a mix of seemingly legitimate content and pharmaceutical advertisements, interspersed with URLs that appear to be part of a phishing or spam campaign. The embedded JavaScript and external URIs suggest an attempt to redirect the user to malicious sites or download further payloads. The URLs point to domains that are likely involved in distributing spam or phishing content.

Machine Learning

  • Nyx PDF Classifier clean score 0.0128

Heuristics 3

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.osirisconsulting.com/Services_files/img/pdf.php/does-prednisone-cause-flushing.pdf In PDF document text
    • http://www.osirisconsulting.com/Services_files/img/pdf.php/prednisone-for-crohns-flare.pdfIn PDF document text
    • http://www.osirisconsulting.com/Services_files/img/pdf.php/viagra-online-perth-wa.pdfIn PDF document text
    • http://immigrationhelp.net/script/js/pdf.php/side-effects-from-zithromax.pdfIn PDF document text
    • http://www.osirisconsulting.com/Services_files/img/pdf.php/prednisone-for-seborrheic-dermatitis.pdfIn PDF document text
    • http://www.osirisconsulting.com/Services_files/img/pdf.php/cialis-canada-pharmacy-online.pdfIn PDF document text
    • http://www.osirisconsulting.com/Services_files/img/pdf.php/dapoxetine-60-mg.pdfIn PDF document text
    • http://html2fpdf.sf.net)/CreationDateIn PDF document text
    • http://html2fpdf.sf.netIn PDF document text
🗂 Part of campaign: sf.net 56 samples