Malicious PDF — malware analysis report

Static analysis result for SHA-256 738dd94d3a181957…

MALICIOUS

PDF

186.9 KB Created: 2015-08-05 21:58:39 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: a92c81c32e8e8555cb63c04d6ab9cb19 SHA-1: c66a21ccbee79ea7c4d97637b49b3703c1d271ba SHA-256: 738dd94d3a181957295de320ffc91f3a488d131998b75617fd582b471b3cdc4f
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URL that is flagged as a malicious redirector. The ML classifier also strongly indicated maliciousness. This suggests the document is designed to lure users to the malicious domain, likely for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B3%D0%B4%D0%B5-%D1%82%D0%BE+%D0%BD%D0%B0+%D0%BA%D1%80%D0%B0%D1%8E+%D1%81%D0%B2%D0%B5%D1%82%D0%B0+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+fb2&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/6//4305/4305541_blank_doverennosti_skachat_besplatno.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4306/4306116_bmw_x5_e70.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4308/4308174_neproveryaemuye_soglasnuye_v_korne_slova_primeruy_4_klass.pdf
    • http://www.microsoft.com/typography/fonts/
    • http://www.microsoft.com/typography/fonts/You

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000245cd.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x245CD 3556 bytes
font_01_sfnt_off00025350.bin
8296ce2bef068db6731d07996dfe55345aede2caf3aea4b42d2259bfcd0a7dda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25350 15076 bytes
font_02_sfnt_off000281c4.bin
33936d0286f501c58fa5f688a61b01aa5a8f67d8e7c44cc1938592591b5e33fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x281C4 14696 bytes
font_03_sfnt_off0002ad33.bin
82f1349d13cca1cb7c57c81b9688b114a3bff561e6474bd9f3065b7d3ee57743		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AD33 7028 bytes
font_04_sfnt_off0002c1a4.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C1A4 6084 bytes
font_05_sfnt_off0002d139.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D139 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.