Malicious PDF — malware analysis report

Static analysis result for SHA-256 67ceebf0455a63c1…

MALICIOUS

PDF

369.0 KB Created: 2015-11-14 02:51:34 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: f0ee0204abbdad80871ef37038f32525 SHA-1: 2b8da660219b4f54c1abdd770c7cc9fdc88edda1 SHA-256: 67ceebf0455a63c1fce7803b0eeb343bedcf807113b1658baf7c879430ca5357
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ML classifiers and ClamAV, specifically identified as a dropper. It contains an embedded URL that, when clicked, likely leads to the download of a second-stage payload. The URL itself contains keywords suggesting a download of files related to software or game activation, indicating a lure to trick the user into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9940

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7669961-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7669961-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://taurus-tg.ru/?nnr&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%81%D1%85%D0%BE%D0%B4%D0%B8%D0%BD%D0%BA%D0%B8+%D0%B4%D0%BE+%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%82%D0%B8%D0%BA%D0%B8+1-6+%D0%BA%D0%BB%D0%B0%D1%81+%D1%87%D0%B5%D1%80%D0%B5%D0%B7+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82&charset=utf-8
    • http://media.nn.ru/data/ufiles/2015-11/9a/26/cc/5645eeddab973_assassinscreed2kodaktivatsii.pdf
    • http://media.nn.ru/data/ufiles/2015-11/f8/c0/a3/56463dfd04e46_tachkimultachkibaikimetraigraskachattorrent.pdf
    • http://media.nn.ru/data/ufiles/2015-11/b7/6c/7d/564607e28d76e_knigaretseptovdliamultivarkiskarletsc-410.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00057bd4.bin
a3f12c6f055b5640834656a56764342b9a5dcd486325a907ef95adca9dceba2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57BD4 8384 bytes
font_01_sfnt_off00059520.bin
b10744e4ffa006229b6a5d1fcca9e311d5f1da390df4bd0a2864ee32d4621d24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59520 15384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.