Malicious PDF — malware analysis report

Static analysis result for SHA-256 72425366c7119aa8…

MALICIOUS

PDF

184.5 KB Created: 2015-08-08 13:19:32 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: fe5cf4c61f2122a84b44c696cc8997e0 SHA-1: d700d732b016d40b6a4de7cafc0dd572135fc189 SHA-256: 72425366c7119aa88d0e45098132b3fc57503cb128a62bdee4d867935535dc63
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector infrastructure, indicating an attempt to lure the user to a harmful site. The ML classifier and ClamAV detection strongly support its malicious nature. The embedded URL is likely intended to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Dropper.Agent-8711301-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8711301-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%BE%D0%B1%D0%BE%D0%B8+800%D1%85480+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/6//4385/4385457_skachat_css_v_34_torrent.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4391/4391938_kak_skachat_programmu_fotoshop_na_kompyuter.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4387/4387613_skachat_kamenskaya_1_sezon_torrent.pdf
    • http://www.microsoft.com/typography/fonts/
    • http://www.microsoft.com/typography/fonts/You

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023f06.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23F06 3556 bytes
font_01_sfnt_off00024c89.bin
2a73c52070dc2c75a3e18b0afa5ea2670eeb893b36b8025f01bfd7fc31ec2fd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24C89 14360 bytes
font_02_sfnt_off000279b1.bin
9705fb12925e74e26d47ea791f301af28b4f4008e908a1656a30c7c2fe29751a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x279B1 14532 bytes
font_03_sfnt_off0002a4a3.bin
3089123f1d67fa518b86256084d3b571a111a3d9a7a2d746f5d6a04f4318bb0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A4A3 6824 bytes
font_04_sfnt_off0002b84f.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B84F 6084 bytes
font_05_sfnt_off0002c7e4.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C7E4 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.