Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba446c00c247a715…

MALICIOUS

PDF

186.6 KB Created: 2015-07-26 05:33:47 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6) First seen: 2021-10-04
MD5: 52c5ea8f4c26f4d2ca9d15af7e9c1270 SHA-1: b61d5203dc68853da5087f19fce34b0604145a84 SHA-256: ba446c00c247a71556168e3544d97cd5dbecc94054a2a5f10be703767bab0aad
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by an ML classifier. The file routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B0%D0%B2%D0%B0%D1%82%D0%B0%D1%80+%D0%BB%D0%B5%D0%B3%D0%B5%D0%BD%D0%B4%D0%B0+%D0%BE%D0%B1+%D0%B0%D0%B0%D0%BD%D0%B3%D0%B5+%D0%B8%D0%B3%D1%80%D0%B0+%D0%BD%D0%B0+pc+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82&charset=utf-8 In PDF document text
    • http://fastpic.ru/In PDF document text
    • http://www.liveinternet.ru/clickIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/5//4200/4200816_instrukciya_po_yekspluatacii_motobloka_neva_mb_2.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/5//4212/4212950_skachat_besplatno_fruti_lups_11_na_russkom_yazuyke.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/5//4208/4208524_peredelannuye_pesni_na_yubiley_50_let_zhenschine.pdfIn PDF document text
    • http://www.microsoft.com/typography/fonts/In PDF document text
    • http://www.microsoft.com/typography/fonts/YouIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000247d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x247D4 3556 bytes
SHA-256: 880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281
font_01_sfnt_off00025557.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25557 14256 bytes
SHA-256: a40dacd3cfdfec04b84966bd6b16bf39487d8638a8acb1664c11de79b7f669ff
font_02_sfnt_off00028215.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x28215 14468 bytes
SHA-256: a94cc1f67443e83403e63b3a25d8ac153ee8710c785a8ec59af7896e6f93bdfa
font_03_sfnt_off0002acc3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2ACC3 6868 bytes
SHA-256: 44d2a63ad8f164bb56edcee080a1ea83f49dd53b58248dce184c0aadb19b18ae
font_04_sfnt_off0002c085.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2C085 6084 bytes
SHA-256: 819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3
font_05_sfnt_off0002d01a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D01A 3752 bytes
SHA-256: 9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e

Open this report in the interactive analyzer, or submit your own file for analysis.