Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdea2bbe26bca8ee…

MALICIOUS

PDF

4.4 KB Created: 2015-06-03 16:38:44 +03:00 Authoring application: DOMPDF
MD5: 71dc9bbf73c5f7fa90c2b8cf13f171b6 SHA-1: bdbc2dc8339f27a78d8a6b4d2b6140995df37ee5 SHA-256: fdea2bbe26bca8eefe99ec3a31df01df1ad0e45d08b68116115d6cedc9eedd80
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing for a large number of external links, suggesting a link farm or SEO manipulation tactic. The document body, though truncated, also contains numerous URLs. The primary attack pattern involves directing users to external sites via these links. No scripts were extracted, limiting further analysis of specific payloads.

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.kbb-gesellschaft.de/index.php?2015/ergoarena.pdf&urggv=1&aspx=2287
    • http://www.prequine.com/index.php?2015/torcida.pdf&fcldj=1&aspx=1884
    • http://www.kbb-gesellschaft.de/index.php?2015/ergoarena.pdf&urggv=1&aspx=326
    • http://www.kbb-gesellschaft.de/index.php?2015/ergoarena.pdf&urggv=1&aspx=1412
    • http://www.prequine.com/index.php?2015/torcida.pdf&fcldj=1&aspx=1252
    • http://dyrlaegecentret.dk/index.php?2015/typestitch.pdf&hjhle=1&aspx=sitemap

Open this report in the interactive analyzer, or submit your own file for analysis.