Malicious PDF — malware analysis report

Static analysis result for SHA-256 77d618528fdf812e…

MALICIOUS

PDF

184.9 KB Created: 2015-08-08 13:11:19 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: cb9157552ff78221d82ed6e9d3f508e2 SHA-1: 4ca7563b9afbf92ca507e17d8a5b8e94c191793a SHA-256: 77d618528fdf812ecd116440453130d2012c2e3aaa5f99307a503f4748313b5b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, indicating an attempt to lure the user to a harmful site. The ML classifier also flagged this PDF with high confidence. The embedded URL is the primary indicator of malicious intent, likely serving as a first stage for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B0%D0%B2%D1%82%D0%BE%D0%B1%D1%83%D1%81+1043+%D0%BE%D0%B4%D0%B8%D0%BD%D1%86%D0%BE%D0%B2%D0%BE+%D0%B2%D0%BD%D1%83%D0%BA%D0%BE%D0%B2%D0%BE+%D1%80%D0%B0%D1%81%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%B8%D0%B5&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/6//4386/4386498_opengl_es_20_skachat_na_android.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4384/4384478_makeup_pilot_42_crack.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4388/4388067_gazovaya_kolonka_electrolux_instrukciya.pdf
    • http://www.microsoft.com/typography/fonts/
    • http://www.microsoft.com/typography/fonts/You

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000240fc.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x240FC 3556 bytes
font_01_sfnt_off00024e7f.bin
5ee964e841714cce8cc0def7ac4f3a36715ead8738df97aa6c5172fca0ff1880		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24E7F 14616 bytes
font_02_sfnt_off00027b3a.bin
7419e01a8e6f46770285243b457286ebf090d357c5b0ed7a650be792bbfe0ed7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27B3A 14468 bytes
font_03_sfnt_off0002a5e8.bin
6fbe4d4f29be885c3b2d07ec2b1eb2c73e6e9a18258599a8ca96a5bcfb6e6380		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A5E8 6888 bytes
font_04_sfnt_off0002b9e0.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B9E0 6084 bytes
font_05_sfnt_off0002c975.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C975 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.