Malicious PDF — malware analysis report

Static analysis result for SHA-256 538e1343b5d34122…

MALICIOUS

PDF

351.1 KB Created: 2015-08-29 12:43:47 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6) First seen: 2021-08-25
MD5: 444bd539552656b6c7d425f8bfaac034 SHA-1: d44b447ad6f5c64c73ca8077dcb38354473390c5 SHA-256: 538e1343b5d341227d8664ccf4585dd29fbea82ec922c500526fa08ed649456f
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded links that point to a known malicious redirector. The ML classifier also strongly indicated maliciousness. While no scripts were directly extracted, the presence of malicious links suggests an attempt to redirect the user to a phishing or malware distribution site, likely as part of a spearphishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BD%D0%B0%D0%BF%D0%B8%D1%81%D0%B0%D1%82%D1%8C+%D1%81%D0%BA%D0%B0%D0%B7%D0%BA%D1%83+%D1%80%D0%B0%D0%B7%D0%B1%D1%80%D0%BE%D1%81+%D1%81%D0%BA%D0%B0%D0%B7%D0%BA%D0%B8&charset=utf-8 In PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4830/4830005_igruy__na__piispi_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4830/4830622_via__poyuschie__gitaruy_.pdfIn PDF document text
    • http://img1.liveinternet.ru/images/attach/c/7//4831/4831364_shema__otzhimaniy__na_.pdfIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00053c6d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x53C6D 7568 bytes
SHA-256: cc59a79e8839fface1d1f8a8bf218a673e6ff9c32d7fd11b083b96bf9e446871
font_01_sfnt_off00055278.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x55278 13336 bytes
SHA-256: 4a2cb31f159034c66ada2541852876745113a05fe0958219d0409a7aef1141ff