Malicious PDF — malware analysis report

Static analysis result for SHA-256 869bb7c5aef1b097…

MALICIOUS

PDF

184.8 KB Created: 2015-08-05 22:26:04 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: b631839041c1c2fbafc1280ef158b67b SHA-1: 7c47b597524c2b5ca00858056ebaa2d4c3f549f9 SHA-256: 869bb7c5aef1b0971dd7abea108210389056f0178cc7e2da069459c2ba9c9240
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URL that points to a known malicious redirector. The ML classifier also flagged this PDF with high confidence. The primary attack vector appears to be luring the user to the malicious URL, which is likely part of a phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+nfs+most+wanted+2005&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/6//4305/4305933_hristianskie_oboi_dlya_rabochego_stola_skachat_besplatno.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4306/4306918_igra_bilyard_skachat_besplatno_bez_registracii.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4307/4307773_videoredaktor_skachat_torrent.pdf
    • http://www.microsoft.com/typography/fonts/You
    • http://www.microsoft.com/typography/fonts/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_048_off0002a4cf.bin
7b470f16dd4728f27b07d9747c49bee9409e6e4fb8efffecbbc597e55c4e51ec		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A4CF 7008 bytes
font_00_sfnt_off00023c72.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23C72 3556 bytes
font_01_sfnt_off000249f5.bin
41946cc865805854913218f1c688fd8552ff792953f5012a9a395b612425cacd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x249F5 14876 bytes
font_02_sfnt_off0002782e.bin
814fad537f1a844d38d8744d6855c9b18c4d6d0a32da6f29878608ce25d64d2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2782E 15088 bytes
font_04_sfnt_off0002b936.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B936 6084 bytes
font_05_sfnt_off0002c8cb.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C8CB 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.