Malicious PDF — malware analysis report

Static analysis result for SHA-256 31617ebc94c3f636…

MALICIOUS

PDF

341.2 KB Created: 2015-08-29 12:11:13 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6) First seen: 2021-07-07
MD5: 7682de49905af1db9b3aac0675e16868 SHA-1: 347e28802d51bdb489eb945127e88743a0eec79e SHA-256: 31617ebc94c3f6367245b1c2a9d6ef7887d039658371c0f144f1bf60e4ab6371
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, indicating an attempt to lure the user to a harmful site. While no scripts were explicitly extracted, the PDF structure and the malicious URL strongly suggest an intent to compromise the user through redirection. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80%D0%BD%D0%B0%D1%8F+%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D0%B0+relax&charset=utf-8 In PDF document text
    • http://img1.liveinternet.ru/images/attach/c/7//4831/4831136_filecheckfix__dlya__gta_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4830/4830792_zanaveski__kryuchkom_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4830/4830777_kak__posmotret__fayl_.pdfIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00050e10.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50E10 8096 bytes
SHA-256: f92ad9e3ed8293655fcf9f3fdc387982d4fc60c84131057535a74643fc5f871a
font_01_sfnt_off00052415.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x52415 16076 bytes
SHA-256: b8874922f2f733b91cf2d77375fecd008271f907bb5a172c4a0d5fa40edb436a

Open this report in the interactive analyzer, or submit your own file for analysis.