Malicious PDF — malware analysis report

Static analysis result for SHA-256 94adb6b5f47c9be2…

MALICIOUS

PDF

354.8 KB Created: 2015-08-25 09:24:29 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 9d04eee3537fd5d83447d962b12b8fd4 SHA-1: 07a4bf7e19b6d183cc1d59b169646ad86433c869 SHA-256: 94adb6b5f47c9be2d1d60c004a749470600d84f40b30737537f8bb51e14d1032
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The ML classifier also flagged it with high confidence. The primary IOC is the malicious URL embedded within the document, which is likely used to lure the user to a compromised site for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%94%D1%80%D0%B0%D0%B9%D0%B2%D0%B5%D1%80+%D0%B0%D1%8D%D1%80%D0%BE+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4725/4725561_skachat__mod__tropicraft_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4725/4725906_skachat__pley__market_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4725/4725241_kmsnano__v_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00053bed.bin
3656ca4ce28ab10a8dac27e69674117efb96de9830e5649147e2d064a2fca221		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53BED 9184 bytes
font_01_sfnt_off000556cc.bin
af59ad0c01fc2d72ffb048c0e41a9d46993d99c465edb75a219846973c7a3bd2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x556CC 17664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.