Malicious PDF — malware analysis report

Static analysis result for SHA-256 6cc09c5a4b9c2120…

MALICIOUS

PDF

375.7 KB Created: 2015-08-23 23:21:14 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 4ea7b23eb03d9dfc83cd5f980c7c73a7 SHA-1: c48f205e7e9fab306c8f3bfd096d7ea89709be05 SHA-256: 6cc09c5a4b9c2120cc74832cb030524efe6d9123635afee0a67956e5f2932690
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a link to a known malicious redirector URL, indicating an attempt to lure the user to a harmful site. The ML classifier also strongly flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the critical heuristic firing strongly suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9943

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%B0+%D1%81%D1%83%D0%BF%D0%B5%D1%80+%D0%BC%D0%B0%D0%BA%D1%81+70+80+%D0%B3%D0%BE%D0%B4%D1%8B+%D0%BF%D0%B5%D1%81%D0%BD%D0%B8+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4692/4692978_reshu__egye__po_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4692/4692970_chit__dlya__world_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4692/4692979_prototype__2__skachat_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00059291.bin
2b15f369699c0b4dc863c5fca19033e5ec03bea9cb89ac9ec374ff5f3a390d20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59291 8448 bytes
font_01_sfnt_off0005ab24.bin
a1a0f6accb4749242843ca310d52a87ec8b9a6902af828ab591c52f5c1711a58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AB24 17352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.