Malicious PDF — malware analysis report

Static analysis result for SHA-256 19392a8268619cdb…

MALICIOUS

PDF

342.7 KB Created: 2015-08-28 00:28:21 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: d0bda1cbdc0f139c3b90f88fbc9fae8a SHA-1: a20120f9657d7f1ee9f83cf47ac7f39fa5407dc0 SHA-256: 19392a8268619cdb753a52608a2771762e62165622b8d6397c453ca0af9baafb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, indicating an attempt to lure the user to a harmful site. ClamAV detection as 'Pdf.Dropper.Agent' and a high ML score further support its malicious nature. The embedded URL is likely used to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Dropper.Agent-9366340-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9366340-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B1%D1%80%D0%BE%D0%BD%D0%B5%D0%B6%D0%B8%D0%BB%D0%B5%D1%82+%D0%B2%D0%BE%D0%B4%D0%B8%D1%82%D0%B5%D0%BB%D1%8F+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4787/4787980_piter__druker__yeffektivnuyy_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4788/4788561_prohozhdenie__igruy__sekret_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4788/4788150_film__o__zhenschinuy_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000513fa.bin
4d2688c0275575d9f94a850dc8afc9907b9335ead14d77fa532dd9215a0d9a3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x513FA 9764 bytes
font_01_sfnt_off00052f81.bin
35a29985d99f27ebbda08d33922d4227e9e84697487d3cfa9ca9ca297b673020		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52F81 13768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.