Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a354d1f1f007811…

MALICIOUS

PDF

348.0 KB Created: 2015-08-22 12:12:34 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 709c27d31851f79129295a9e3b650ba8 SHA-1: 127e0308f13c13b710e66a0638190f7d57ecc0c4 SHA-256: 5a354d1f1f007811cf52ee7e3344aad2dde178e1ddeae0fb9bff1150c670fba1
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing indicating a redirector link to known malicious infrastructure. The ML classifier also strongly flagged this PDF as malicious. While no scripts were extracted, the embedded URL is the primary indicator of malicious intent, likely serving as a lure to a phishing or malware distribution site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%81%D1%82%D0%B0%D0%BB%D0%BA%D0%B5%D1%80+%D1%82%D0%B5%D0%BD%D1%8C+%D1%87%D0%B5%D1%80%D0%BD%D0%BE%D0%B1%D1%8B%D0%BB%D1%8F+10006+%D1%81+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82%D0%B0&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4676/4676848_variantuy_dosrochnogo_egye_po_fizike_2015.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4676/4676351_oformlenie_gruppuy_romashka_v_detskom_sadu_skachat_besplatno.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4676/4676154_skachat_operu_na_telefon_nokia_5530.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005286d.bin
e8ed4566b8b8ca8c62e2a4456efaf58ab60789204168e5a532a0807428f497bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5286D 10220 bytes
font_01_sfnt_off0005447b.bin
56c5fdfb21b2b9f58265a94a7325ec276edfcfaa28a0041585b211465ad4b2eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5447B 13900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.