Malicious PDF — malware analysis report

Static analysis result for SHA-256 8eca637d771b51d2…

MALICIOUS

PDF

363.4 KB Created: 2015-08-28 11:43:01 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 1c46958a1ffb0c49ab04a0c478ba76ff SHA-1: 56560dc067730bd98a3b4a13c2c846398b8fb7c0 SHA-256: 8eca637d771b51d28654fb8a628a5b0011f7eabbcecd85e6addbd5e1586cfdee
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file contains a link to a known malicious redirector infrastructure, as indicated by the PDF_MALICIOUS_REDIRECTOR_LINK heuristic. The ML classifier also flagged this PDF with high confidence. The embedded URL is the primary indicator of malicious intent, suggesting the document is designed to lure users to a compromised site. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=wasteland+2+%D0%BF%D1%80%D0%BE%D1%85%D0%BE%D0%B6%D0%B4%D0%B5%D0%BD%D0%B8%D0%B5&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802588_telefonnuyy__spravochnik__myerii_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802404_skachat__posledniy__patch_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802511_programma__skladskogo_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00056516.bin
9d4929e90f788cda221d7af49d3df3b6d147d71ececd086a7c2e1fc98755901f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56516 8992 bytes
font_01_sfnt_off00057e9a.bin
b77331837e76f89f9b16e7d69bae288dfdf75d86962384c5aa9bdbc05d701bea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57E9A 15424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.