Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b12b356e3313edd…

MALICIOUS

PDF

186.5 KB Created: 2015-08-08 10:37:14 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: d3647a3573f6ecee480b725792c6edca SHA-1: 395ff6a12c9e693adb0358169229a143e364e62f SHA-256: 1b12b356e3313eddcebbecb30b0fb6137ed68ffb5f26564571800c72f8ea4770
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF file was flagged by multiple heuristics as malicious, specifically due to an embedded link pointing to known malicious redirector infrastructure. The ML classifier also assigned a high probability of maliciousness. The primary attack vector appears to be directing the user to a harmful external resource via the embedded URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%BE-%D0%B0%D0%BD%D0%B3%D0%BB%D0%B8%D0%B9%D1%81%D0%BA%D0%B8%D0%B9+%D1%80%D0%B0%D0%B7%D0%B3%D0%BE%D0%B2%D0%BE%D1%80%D0%BD%D0%B8%D0%BA&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/6//4385/4385606_skachat_kastomnuyu_proshivku_dlya_iphone_3gs_613_s_aktivaciey.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4385/4385227_programma_dlya_vzloma_pochtovogo_yaschika.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4383/4383744_skachat_besplatno_detskie_klipuy_iz_peredachi_baby_time.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024702.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24702 3556 bytes
font_01_sfnt_off00025485.bin
f05246a5a3203d31e461321a6433b6b9b5f60de672cd13ede7cbda1bbf305f19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25485 14828 bytes
font_02_sfnt_off0002822a.bin
13af8eda4f1eb8ddfda35002abe8a3efc5fedb23c7efab0af51a2b467e80e8a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2822A 14468 bytes
font_03_sfnt_off0002ace0.bin
48b383472be3740dad6c73cd7084d248dece7e7b1c7f8a828585e16c0aa25c55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2ACE0 6668 bytes
font_04_sfnt_off0002c008.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C008 6084 bytes
font_05_sfnt_off0002cf9d.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CF9D 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.