Malicious PDF — malware analysis report

Static analysis result for SHA-256 f05dbf02a3187a2a…

MALICIOUS

PDF

12.4 KB Created: 2015-07-15 16:26:24 +04:00 Authoring application: DOMPDF
MD5: 9141a290c5b144bbac2f668c828de990 SHA-1: 7505a67bd388e32305b3640592ab25735c8eadb9 SHA-256: f05dbf02a3187a2ae0b19ba2fdcd6ad214170ab3a7d7e73cc81a6520909e10f7
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file was flagged by a machine learning classifier as malicious. Static analysis revealed a large number of embedded URLs, forming a link farm. The primary attack pattern appears to be SEO manipulation or directing users to potentially malicious content hosted on numerous external domains. No scripts were extracted, limiting the analysis of direct payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8883

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chavagnes.com/index.php?article=938.2&urwbo=2&pdf=938
    • http://sestramaca.hr/index.php?article=652.3&jjcxv=3&pdf=652
    • http://whereabouts.eu/index.php?article=813.2&ahydd=2&pdf=813
    • http://chavagnes.com/index.php?article=384.2&urwbo=2&pdf=384
    • http://acast.ru/index.php?article=1921.5&zueuf=5&pdf=1921
    • http://chavagnes.com/index.php?article=1923.2&urwbo=2&pdf=1923
    • http://www.authenticness.com/index.php?article=2277.1&aqdto=1&pdf=2277
    • http://pathica.net/index.php?article=516.1&ikbca=1&pdf=516
    • http://www.mantrabeautybar.ca/index.php?article=302.1&rukbv=1&pdf=302
    • http://chavagnes.com/index.php?article=1777.2&urwbo=2&pdf=1777
    • http://chavagnes.com/index.php?article=1602.2&urwbo=2&pdf=1602
    • http://chavagnes.com/index.php?article=559.2&urwbo=2&pdf=559
    • http://healthcare2-concepts.com/index.php?article=2114.1&syyyl=1&pdf=2114
    • http://chavagnes.com/index.php?article=123.2&urwbo=2&pdf=123
    • http://cocoonin.fr/index.php?article=1956.1&ybtii=1&pdf=1956
    • http://chavagnes.com/index.php?article=2286.2&urwbo=2&pdf=2286
    • http://rollermarathondijon.fr/index.php?article=164.2&rbpva=2&pdf=164

Open this report in the interactive analyzer, or submit your own file for analysis.