Malicious PDF — malware analysis report

Static analysis result for SHA-256 0639c8f60f380031…

MALICIOUS

PDF

368.5 KB Created: 2015-08-20 08:32:17 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 799f30e91fa11eede372d35f7861bfb7 SHA-1: 62514e26b0e2ab8ec0526768cdc567cf5c4dfbaf SHA-256: 0639c8f60f3800315a9600d833ae3b7a1bf27176e78ba5eacaafbf8cb9d1869e
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, indicating an attempt to lure the user to a harmful site. While no scripts were explicitly extracted, the presence of embedded URLs and the critical heuristic firing strongly suggest malicious intent. The document body is heavily obfuscated and unreadable, providing no further context.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9940

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B8%D0%B3%D1%80%D1%8B+%D1%87%D0%B5%D1%80%D0%B5%D0%B7+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82+18+%D1%81%D1%82%D0%B0%D0%BB%D1%8C%D0%BD%D1%8B%D1%85+%D0%BA%D0%BE%D0%BB%D0%B5%D1%81+%D0%BA%D1%83%D0%B1%D0%B0%D0%BD%D1%81%D0%BA%D0%BE%D0%B5+%D1%80%D0%B0%D0%B7%D0%B4%D0%BE%D0%BB%D1%8C%D0%B5&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4639/4639447_hadisuy_proroka_muhammeda_skachat_besplatno.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4639/4639065_gadanie_na_kofe_onlayn_besplatno_na_buduschee.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4638/4638849_rusifikator_dlya_mass_effect_3_russkaya_ozvuchka.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00057ce1.bin
eabf22a704511393aae3adb64c3f4fc3bdc03173abcf13433fa16225e9081e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57CE1 8076 bytes
font_01_sfnt_off0005945c.bin
c54089b77953938e65fcb88e10f54e89ca0f01523f0de87de3560b572e56e64d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5945C 14864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.