Malicious PDF — malware analysis report

Static analysis result for SHA-256 b85e56c56867884c…

MALICIOUS

PDF

374.6 KB Created: 2015-08-24 03:13:29 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: b1de30199d1bf89447c5f07024cdfdce SHA-1: d40640698bcdce60fa9236dc34c2ffb400471261 SHA-256: b85e56c56867884c923aecd2286f8021c9c1456aa2ba6ed3d22e89a1ff3369f1
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a critical heuristic for linking to a known malicious redirector. The ML classifier also assigned a high probability of maliciousness. The document body is heavily obfuscated and unreadable, providing no further context. The primary threat appears to be the embedded malicious URL, which is likely used to redirect users to a harmful destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9960

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%A1%D1%85%D0%B5%D0%BC%D0%B0+%D0%BA%D0%BF%D0%BF+%D0%BC%D0%B0%D0%B7+238+%D1%81+%D0%B4%D0%B5%D0%BB%D0%B8%D1%82%D0%B5%D0%BB%D0%B5%D0%BC&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4695/4695569_primeruy__keysov__po_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4696/4696025_skachat__yemulyator__soni_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693657_programma__diagnostika__reno_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000599f5.bin
f583c5f02ac9dc3124b7259ab62d118557b74089310ef6e909b336290c08c8f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x599F5 8744 bytes
font_01_sfnt_off0005b28d.bin
55e182da7e2a1bb188774782686f2ed89cc2270c48280eb31f0958e3559306ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B28D 12484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.