Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9ba7eda29b2aa49…

MALICIOUS

PDF

4.8 KB Created: 2015-06-03 16:40:37 +03:00 Authoring application: DOMPDF
MD5: 0dbb745723475735a34de39b1e349cda SHA-1: ae4fb022549ff0538e3e721d7a2f2bda9181f0c8 SHA-256: f9ba7eda29b2aa492dccc249f70896a9c47172632af0cc023966c5b20f1bbba1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file contains a heuristic firing for a PDF SEO link farm, indicating a large number of embedded external links. The document body, though truncated, repeats phrases related to financial trading and investment options, suggesting a lure to engage the user. The embedded URLs are likely used for SEO manipulation or to redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier clean score 0.1434

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.prequine.com/index.php?2015/torcida.pdf&fcldj=1&aspx=2347
    • http://www.kbb-gesellschaft.de/index.php?2015/ergoarena.pdf&urggv=1&aspx=1107
    • http://phcccolorado.org/index.php?2015/arabtera.pdf&effpp=1&aspx=2106
    • http://www.kbb-gesellschaft.de/index.php?2015/ergoarena.pdf&urggv=1&aspx=813
    • http://www.prequine.com/index.php?2015/torcida.pdf&fcldj=1&aspx=787
    • http://dyrlaegecentret.dk/index.php?2015/typestitch.pdf&hjhle=1&aspx=sitemap

Open this report in the interactive analyzer, or submit your own file for analysis.