Malicious PDF — malware analysis report

Static analysis result for SHA-256 894bad63eb192e43…

MALICIOUS

PDF

365.5 KB Created: 2015-08-24 03:11:21 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 369f7679167909cb9d77238d0301ce25 SHA-1: dc211d10058f6131bf67e9e72c8caf5ee4ada70e SHA-256: 894bad63eb192e431858a0456ecb228c30653eb11e65a74ce97b847194576f60
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and contains a link to a known malicious redirector. This indicates the document is likely a lure designed to redirect users to a malicious website for phishing or malware delivery. No scripts were extracted, and the document body was heavily truncated, limiting further analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%A1%D0%BA%D0%B0%D0%B9%D0%BF+%D0%B4%D0%BB%D1%8F+%D0%BD%D0%BE%D0%BA%D0%B8%D0%B0+%D1%816+01+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4696/4696740_skachat__video__ezhik_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4694/4694107_russkie__narodnuye__pesni_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4696/4696647_uzoruy__dlya__nalichnikov_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005750c.bin
faa1e86e12206ec2fe8b71dcb980a4c639b84503d7365cb61c448eaa20ec6c9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5750C 9224 bytes
font_01_sfnt_off00058e23.bin
99eae0e142c140a858a5300dc6fce899b38702bb5aade33d03c377f3e1c692cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58E23 12468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.