Malicious PDF — malware analysis report

Static analysis result for SHA-256 e96da02e0a8ac9a5…

MALICIOUS

PDF

351.2 KB Created: 2015-11-16 05:26:42 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6) First seen: 2020-09-24
MD5: 9a018da0666a6f140650cbe8cacc103c SHA-1: ec9b4fa30659c27510e1cd14af64676f5d0f8beb SHA-256: e96da02e0a8ac9a5bf37c48535dafd00eaf34b1f3854c28f9b2c8e63360fb971
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was flagged by an ML classifier as malicious. It contains an embedded URI pointing to 'taurus-tg.ru', which is likely a phishing or malware distribution site. The document body is heavily obfuscated and appears to be malformed, further indicating malicious intent. No scripts were extracted, and the primary threat appears to be the embedded URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://taurus-tg.ru/?nnr&keyword=%D0%BF%D1%80%D0%B0%D0%B2%D0%B8%D1%82%D0%B5%D0%BB%D0%B8+%D0%B8+%D0%B8%D1%85+%D1%81%D0%BE%D0%B2%D1%80%D0%B5%D0%BC%D0%B5%D0%BD%D0%BD%D0%B8%D0%BA%D0%B8+%D1%82%D0%B0%D0%B1%D0%BB%D0%B8%D1%86%D0%B0&charset=utf-8 PDF link annotation
    • http://media.nn.ru/data/ufiles/2015-11/a9/72/42/5648f7761fa66_skachatmodydliagtasanandreasrusskiemashiny.pdfIn PDF document text
    • http://media.nn.ru/data/ufiles/2015-11/1b/58/6e/564908c5d7839_realnyevariantyegepofizike2015.pdfIn PDF document text
    • http://media.nn.ru/data/ufiles/2015-11/bb/fc/55/5648b84baf556_soulcalibur5pcskachattorrent.pdfIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00053474.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x53474 7248 bytes
SHA-256: 19a09f74df5b311e3a8a6e559416dd05c284f552c17b730e95aaaaed8c369436
font_01_sfnt_off00054a40.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x54A40 16668 bytes
SHA-256: b399d0c008d0d1b75d70d3ff4842c5ffb6ac97e7e5974f4b0f335d4723223f35

Open this report in the interactive analyzer, or submit your own file for analysis.