Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1b37cc8f6837075…

MALICIOUS

PDF

12.7 KB Created: 2015-07-15 16:23:18 +04:00 Authoring application: DOMPDF
MD5: a37e25a00042a631f60f72da48a8e341 SHA-1: 07ab0538987cf23ef07552c61e4dd888505549b6 SHA-256: f1b37cc8f68370752e3a8f4c5ecf14a7c64c52a81634e6ffc032e72a42f78d97
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and contains a large number of embedded URLs, suggesting a link farm or redirection scheme. The document body mentions 'Binary option with success strategies', which is a common lure for financial scams. The primary attack pattern involves directing users to external websites through these numerous links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8835

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chavagnes.com/index.php?article=488.2&urwbo=2&pdf=488
    • http://razan.com.ua/index.php?article=2295.1&vafyr=1&pdf=2295
    • http://www.mantrabeautybar.ca/index.php?article=1291.1&rukbv=1&pdf=1291
    • http://chavagnes.com/index.php?article=376.2&urwbo=2&pdf=376
    • http://topofbrands.com/index.php?article=730.2&jduka=2&pdf=730
    • http://chavagnes.com/index.php?article=99.2&urwbo=2&pdf=99
    • http://menner-photo.com/index.php?article=874.2&ijoko=2&pdf=874
    • http://www.amenagementboislyon.com/index.php?article=2418.1&jnfas=1&pdf=2418
    • http://www.pieuvre-electrique-toulousaine.fr/index.php?article=1403.1&otafi=1&pdf=1403
    • http://chavagnes.com/index.php?article=838.2&urwbo=2&pdf=838
    • http://chavagnes.com/index.php?article=1115.2&urwbo=2&pdf=1115
    • http://chavagnes.com/index.php?article=623.2&urwbo=2&pdf=623
    • http://kredite-fuer-arbeitslose.net/index.php?article=1244.1&jhins=1&pdf=1244
    • http://chavagnes.com/index.php?article=2186.2&urwbo=2&pdf=2186
    • http://wilsonswharf.com/index.php?article=1921.7&lcckn=7&pdf=1921
    • http://chavagnes.com/index.php?article=2287.2&urwbo=2&pdf=2287
    • http://smu12.com/index.php?article=1438.4&ezwhk=4&pdf=1438

Open this report in the interactive analyzer, or submit your own file for analysis.