Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ce2a7e359167a80…

MALICIOUS

PDF

347.2 KB Created: 2015-11-12 16:31:27 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6) First seen: 2026-05-08
MD5: 2ec81a38c704f45e84bb8f9b82a172cc SHA-1: 843350c6815d289d7fc577a86ddfd57033a13677 SHA-256: 5ce2a7e359167a809389287498e6abc4767095333ecd8ba592b86672dc278939
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains an embedded URL that redirects to a suspicious domain, identified as a potential phishing lure for free downloads. The ML classifier strongly indicates maliciousness, and the heuristic firings confirm the presence of external URIs and redirector links. No scripts were extracted, but the overall structure suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://taurus-tg.ru/?nnr&keyword=%D0%9C%D0%B0%D1%80%D0%BA+%D1%80%D1%83%D0%B4%D0%B8%D0%BD%D1%88%D1%82%D0%B5%D0%B9%D0%BD+%D1%83%D0%B1%D0%B8%D1%82%D1%8C+%D0%B7%D0%B2%D0%B5%D0%B7%D0%B4%D1%83+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8 PDF link annotation
    • http://media.nn.ru/data/ufiles/2015-11/a8/91/f6/5641fa428ef7d_skachatelektroskhemastels500gt.pdfIn PDF document text
    • http://media.nn.ru/data/ufiles/2015-11/56/46/9e/5643cfa9134c3_ivandornrandorn2014skachatalbomtorrent.pdfIn PDF document text
    • http://media.nn.ru/data/ufiles/2015-11/45/2d/7d/5642d310223d4_chastotyikodysputnikovykhkanalovna16112015god.pdfIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000522e6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x522E6 8100 bytes
SHA-256: 3c73dcfe6ff59433499bbb04f7dff6e2d344c4a8dfbb150654bdf207729aca8f
font_01_sfnt_off00053b0d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x53B0D 16192 bytes
SHA-256: 322bc945a1f0173369877f5ae75256876f634cefe9f81984fb5845096b18b94f

Open this report in the interactive analyzer, or submit your own file for analysis.