Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3febba9c3bc285e…

MALICIOUS

PDF

360.2 KB Created: 2015-08-24 00:08:06 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: e23ad10b187e4c3b2abe6ec29623ee16 SHA-1: 425f21db1972608ec40757f9064de9960fcf96aa SHA-256: d3febba9c3bc285eabcb895067589d660e35634c4d1c4b5b7d3569565bdbed5a
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains an embedded link that points to a known malicious redirector. The ML classifier also flagged this PDF with high confidence. The primary attack vector appears to be luring the user to click the malicious link, which likely leads to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BA%D0%BD%D0%B8%D0%B3%D0%B0+%D1%80%D0%B5%D1%86%D0%B5%D0%BF%D1%82%D0%BE%D0%B2+%D0%B4%D0%BB%D1%8F+%D0%BC%D1%83%D0%BB%D1%8C%D1%82%D0%B8%D0%B2%D0%B0%D1%80%D0%BA%D0%B8+polaris+pmc+0508d+floris&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693423_laurita__romashki_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693414_sdelat__spays__doma_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693450_drayvera__dlya__muyshki_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00054fc2.bin
bc140e2e04e8beb08ba4b8035406c869979f92efe8e8ded2e8b6e1971fba7308		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54FC2 10928 bytes
font_01_sfnt_off00056e22.bin
407d3fd04dc490bf9f1a409d4baefbb91b4ec8c07f29921e07ce8017c6cf9ca2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56E22 16720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.