Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1143727981fdc13…

MALICIOUS

PDF

11.5 KB Created: 2015-07-15 16:26:32 +04:00 Authoring application: DOMPDF
MD5: adfecf9e2c587b5433447feadacde727 SHA-1: 7184ad3e159c1522201fd778f85cd23c4a16131a SHA-256: f1143727981fdc1319d6da1bba0824b71c61b136c0a6c048cc4887dc62937e13
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by an ML classifier as malicious and contains a large number of external links, many of which appear to be part of a link farm. The document body mentions '60 second trading scam seminars', suggesting a lure to financial scams. The primary attack pattern involves directing users to a multitude of external URLs, likely for SEO manipulation or to host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9282

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chavagnes.com/index.php?article=1913.2&urwbo=2&pdf=1913
    • http://lektoring.eu/index.php?article=1044.1&zsaop=1&pdf=1044
    • http://cocoonin.fr/index.php?article=1611.1&ybtii=1&pdf=1611
    • http://chavagnes.com/index.php?article=52.2&urwbo=2&pdf=52
    • http://wilsonswharf.com/index.php?article=1925.7&lcckn=7&pdf=1925
    • http://chavagnes.com/index.php?article=2470.2&urwbo=2&pdf=2470
    • http://149clean.com/index.php?article=1315.2&lkxaf=2&pdf=1315
    • http://aslanasansorleri.com.tr/index.php?article=2037.1&urrqb=1&pdf=2037
    • http://serviferias.org/index.php?article=676.2&daalr=2&pdf=676
    • http://chavagnes.com/index.php?article=477.2&urwbo=2&pdf=477
    • http://chavagnes.com/index.php?article=829.2&urwbo=2&pdf=829
    • http://chavagnes.com/index.php?article=502.2&urwbo=2&pdf=502
    • http://archerwealth.com.au/index.php?article=856.1&ldzws=1&pdf=856
    • http://chavagnes.com/index.php?article=1537.2&urwbo=2&pdf=1537
    • http://trans-cultures.eu/index.php?article=2173.1&asedt=1&pdf=2173
    • http://chavagnes.com/index.php?article=678.2&urwbo=2&pdf=678
    • http://www.mantrabeautybar.ca/index.php?article=229.1&rukbv=1&pdf=229

Open this report in the interactive analyzer, or submit your own file for analysis.