Malicious PDF — malware analysis report

Static analysis result for SHA-256 a999d00b7fc2ce55…

MALICIOUS

PDF

185.1 KB Created: 2015-08-05 13:21:04 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6) First seen: 2021-09-13
MD5: 72f4231cfc8c42a4e1668394ab3c2fd0 SHA-1: 4f934b9aef1985ed0fda209cc5d28ad2d47abb22 SHA-256: a999d00b7fc2ce552d7be7152e36185ac37d5b4e26018cc56ca7139c51e73264
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded links that point to a known malicious redirector. This indicates an attempt to lure the user to a malicious site, likely for phishing or to download further malware. No scripts were extracted, but the presence of redirector links is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BA%D0%BE%D0%B4+%D0%B0%D0%BA%D1%82%D0%B8%D0%B2%D0%B0%D1%86%D0%B8%D0%B8+%D0%B4%D0%BB%D1%8F+%D1%84%D0%B8%D1%84%D0%B0+13+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8 In PDF document text
    • http://fastpic.ru/In PDF document text
    • http://www.liveinternet.ru/clickIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/6//4304/4304458_root_explorer_219_skachat.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/6//4304/4304437_klyuch_dlya_avast_internet_security_601000.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/6//4304/4304460_skachat_minecraft_1_7_2_na_android.pdfIn PDF document text
    • http://www.microsoft.com/typography/fonts/In PDF document text
    • http://www.microsoft.com/typography/fonts/YouIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024010.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24010 3556 bytes
SHA-256: 880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281
font_01_sfnt_off00024d93.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24D93 14912 bytes
SHA-256: a20a552d37ccda3721a161f08befa2f9c8dc9a177731378d19e4561561ac019a
font_02_sfnt_off00027bbc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27BBC 14468 bytes
SHA-256: a8e34466c77775282ff35936152e77d2d006e6251a28fa13b9eb6049a2645024
font_03_sfnt_off0002a667.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A667 7016 bytes
SHA-256: d7d7cfb2f0012352d54904bd74c983b0b7931be08a615834a75f7e3421821615
font_04_sfnt_off0002baba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2BABA 6084 bytes
SHA-256: 819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3
font_05_sfnt_off0002ca4f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2CA4F 3752 bytes
SHA-256: 9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e