Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8d8345f40cd7ee0…

MALICIOUS

PDF

12.3 KB Created: 2015-07-15 14:41:15 +04:00 Authoring application: DOMPDF
MD5: 9e3ba11331ec9ba016297c85fb813f10 SHA-1: 91fd23e9ee391c4c86aee7806ccb6fd85f583b05 SHA-256: f8d8345f40cd7ee009cd74b357dbd7f1e93c111d69d0206c639e87a5c12dcf05
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and contains a significant number of embedded URLs pointing to various external domains. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a large number of links, suggesting a malicious SEO or content distribution scheme. No scripts were extracted from this sample, but the extensive link farm is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8835

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://photo-file.ru/index.php?article=580.1&wehsa=1&pdf=580
    • http://ura-sandoz.com/index.php?article=179.1&nydkb=1&pdf=179
    • http://gradespay.com/index.php?article=2007.1&cibeh=1&pdf=2007
    • http://photo-file.ru/index.php?article=1169.1&wehsa=1&pdf=1169
    • http://vs-media.nl/index.php?article=1818.1&nxjas=1&pdf=1818
    • http://photo-file.ru/index.php?article=2345.1&wehsa=1&pdf=2345
    • http://www.mantrabeautybar.ca/index.php?article=1232.1&rukbv=1&pdf=1232
    • http://information32.org/index.php?article=1364.1&ugibr=1&pdf=1364
    • http://kredite-fuer-arbeitslose.net/index.php?article=2262.1&jhins=1&pdf=2262
    • http://photo-file.ru/index.php?article=940.1&wehsa=1&pdf=940
    • http://photo-file.ru/index.php?article=901.1&wehsa=1&pdf=901
    • http://photo-file.ru/index.php?article=589.1&wehsa=1&pdf=589
    • http://www.lole.cl/index.php?article=876.1&fadfz=1&pdf=876
    • http://photo-file.ru/index.php?article=364.1&wehsa=1&pdf=364
    • http://immofina-solutions.com/index.php?article=2123.1&gzogv=1&pdf=2123
    • http://photo-file.ru/index.php?article=958.1&wehsa=1&pdf=958
    • http://lifesweetner.es/index.php?article=228.1&wddqo=1&pdf=228

Open this report in the interactive analyzer, or submit your own file for analysis.