PDF static analysis report

Static analysis result for SHA-256 f2777ce8e5aaa8bc…

CLEAN

PDF

4.9 KB Created: 2015-06-06 04:31:20 Authoring application: HTML2FPDF >> http://html2fpdf.sf.net (via FPDF 1.52) First seen: 2015-07-16
MD5: ca71c96fc3788c243bacccdb230b0058 SHA-1: 7ebc227ce48962ed65bb8e5afb3cb7d8e75d66c2 SHA-256: f2777ce8e5aaa8bcbf4de154f05ba0c1f479e22d330859c30b5d608ba9781d82
12 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains embedded JavaScript and multiple external URIs. The document body, though truncated, includes several URLs that appear to be lures for pharmaceutical products, suggesting a phishing or scam attempt. The embedded JavaScript stream is a common technique for initiating malicious actions within PDF documents. The primary attack pattern involves directing the user to potentially malicious websites.

Machine Learning

  • Nyx PDF Classifier clean score 0.0108

Heuristics 3

  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://phudararesort.com/ozmoiuve-amoxil-ingredients/ PDF link annotation
    • http://snowgatorsports.com/wp-test/1/generic-cialis-price-comparison/Referenced by PDF JavaScript
    • http://www.plushaut.net/fckeditor/editor/js/pdf.php/viagra-99.pdfIn PDF document text
    • http://www.plushaut.net/fckeditor/editor/js/pdf.php/kamagra-india.pdfIn PDF document text
    • http://html2fpdf.sf.net)/CreationDateIn PDF document text
    • http://html2fpdf.sf.netIn PDF document text
🗂 Part of campaign: sf.net 56 samples