Malicious PDF — malware analysis report

Static analysis result for SHA-256 f611eb33f7b7bed3…

MALICIOUS

PDF

5.0 KB Created: 2015-06-03 16:40:29 +03:00 Authoring application: DOMPDF
MD5: 63426804c59514e12b63e9fe1141820e SHA-1: 56c8739842d06129a8051a1ace57b1068825689f SHA-256: f611eb33f7b7bed3b9070d4283fd97b5b4e5f5bfb66b2e5620c7509dfc48ed72
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, many pointing to domains that appear to be part of a link farm designed to attract search engine traffic. The document body text discusses stock options and investment opportunities, suggesting a phishing or scam lure. The heuristic 'PDF_SEO_LINK_FARM' confirms the presence of numerous external links generated for SEO purposes. No scripts were extracted from this sample.

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.prequine.com/index.php?2015/torcida.pdf&fcldj=1&aspx=2392
    • http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=1131
    • http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=1007
    • http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=343
    • http://www.nibl.co.nz/index.php?2015/decision.pdf&angzv=1&aspx=222
    • http://dyrlaegecentret.dk/index.php?2015/typestitch.pdf&hjhle=1&aspx=sitemap

Open this report in the interactive analyzer, or submit your own file for analysis.