Malicious PDF — malware analysis report

Static analysis result for SHA-256 e58c6d5818103183…

MALICIOUS

PDF

11.9 KB Created: 2015-07-15 14:38:13 +04:00 Authoring application: DOMPDF
MD5: a2ef0f230fd160fc0bdbbee59de411b2 SHA-1: da10ebb1f811df2d20a77551e1b344f2ffef9c90 SHA-256: e58c6d5818103183dd657007dfb54d96ab2b1aec54ae011e0823126a0ed72572
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to various domains, indicative of a link farm. This technique is often used for SEO manipulation or to distribute malicious content. The ML classifier also flagged this PDF as malicious with a high probability. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine a more specific attack pattern beyond the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8959

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://photo-file.ru/index.php?article=1967.1&wehsa=1&pdf=1967
    • http://hotrodderclassifieds.com/index.php?article=490.1&hjjgr=1&pdf=490
    • http://www.mantrabeautybar.ca/index.php?article=2401.1&rukbv=1&pdf=2401
    • http://photo-file.ru/index.php?article=169.1&wehsa=1&pdf=169
    • http://fotosalon-zoom.ru/index.php?article=478.4&sufyu=4&pdf=478
    • http://photo-file.ru/index.php?article=2355.1&wehsa=1&pdf=2355
    • http://aryservicos.com/index.php?article=2012.1&chxuv=1&pdf=2012
    • http://www.faceausoleil.com/index.php?article=1162.2&ipbvv=2&pdf=1162
    • http://weterynarz-gdynia.pl/index.php?article=1610.2&axpfr=2&pdf=1610
    • http://photo-file.ru/index.php?article=757.1&wehsa=1&pdf=757
    • http://photo-file.ru/index.php?article=115.1&wehsa=1&pdf=115
    • http://photo-file.ru/index.php?article=51.1&wehsa=1&pdf=51
    • http://madejalook.com/index.php?article=875.1&ynlkg=1&pdf=875
    • http://photo-file.ru/index.php?article=1800.1&wehsa=1&pdf=1800
    • http://cuisiplans.com/index.php?article=2438.2&kjbws=2&pdf=2438
    • http://photo-file.ru/index.php?article=848.1&wehsa=1&pdf=848
    • http://sestramaca.hr/index.php?article=340.3&jjcxv=3&pdf=340

Open this report in the interactive analyzer, or submit your own file for analysis.