Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4ecd71d6b19d921…

MALICIOUS

PDF

4.7 KB Created: 2015-06-03 16:38:48 +03:00 Authoring application: DOMPDF
MD5: 0030f06f3576b4bad51365826c386957 SHA-1: 49cc8f6b09754e937bf85ac0c81d816510c43648 SHA-256: b4ecd71d6b19d9212f5a3cc4a7281c679d9c4f7b9d50848a64c4e158a7da194b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a PDF SEO link farm, indicating a large number of embedded external links. The document body confirms this by containing numerous URLs, suggesting a lure to external malicious content. No scripts were extracted, limiting further analysis of the payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.1457

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.academiafutebolangola.com/index.php?2015/hmdeepfocus.pdf&audtr=1&aspx=1496
    • http://www.kbb-gesellschaft.de/index.php?2015/ergoarena.pdf&urggv=1&aspx=553
    • http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=2277
    • http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=793
    • http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=104
    • http://dyrlaegecentret.dk/index.php?2015/typestitch.pdf&hjhle=1&aspx=sitemap

Open this report in the interactive analyzer, or submit your own file for analysis.