PDF static analysis report

Static analysis result for SHA-256 31f9625688e4f081…

SUSPICIOUS

PDF

183.1 KB Created: 2015-07-23 13:17:41 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6) First seen: 2020-09-24
MD5: 91913ff1e6b5f8f96afa919fddbc499e SHA-1: b4b5f01e5bcb9aaa76661d07c555b6396fec810f SHA-256: 31f9625688e4f08159b19e62c2583d861abd103f07afb7d9870dca0d15afc7b3
34 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URI pointing to a suspicious domain, which is a strong indicator of a phishing or malware distribution attempt. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were explicitly extracted, the presence of an external URI suggests an attempt to redirect the user to a malicious site, likely for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ruqvarq.ru/?b1Ls&keyword=ir2121+%D1%81%D1%85%D0%B5%D0%BC%D0%B0&charset=utf-8 PDF link annotation
    • http://fastpic.ru/In PDF document text
    • http://www.liveinternet.ru/clickIn PDF document text
    • http://img1.liveinternet.ru/images/attach/c/5//4183/4183243_urok_3.pdfIn PDF document text
    • http://img1.liveinternet.ru/images/attach/c/5//4183/4183191_ladinec_shema_vuyshivki.pdfIn PDF document text
    • http://img1.liveinternet.ru/images/attach/c/5//4183/4183244_proekt_dachnogo_domika.pdfIn PDF document text
    • http://www.microsoft.com/typography/fonts/In PDF document text
    • http://www.microsoft.com/typography/fonts/YouIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023bc7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23BC7 3556 bytes
SHA-256: 880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281
font_01_sfnt_off0002494a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2494A 14720 bytes
SHA-256: ec07fd45724b730ebe820d08ac1aaf87d7c65318c5de1aa3ab352f8ba5a6b18b
font_02_sfnt_off00027741.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27741 14532 bytes
SHA-256: 0cfcc8a7a6088bc4041789d034b29692ada7bf7cb7ea30d5c8e1f7646728f7ab
font_03_sfnt_off0002a22e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A22E 5884 bytes
SHA-256: a8696d8c2bd510a59967946d7f6a76dda15d5ac122b08fc5a4855eab3811453f
font_04_sfnt_off0002b285.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B285 6084 bytes
SHA-256: 819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3
font_05_sfnt_off0002c21a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2C21A 3752 bytes
SHA-256: 9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e