Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0ab7f989510adb9…

MALICIOUS

PDF

354.4 KB Created: 2015-08-28 11:40:05 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 169fe1d3d95ef9d1d9067c8f4e4475a0 SHA-1: 41b4ee1a038501b31356cd2b5ddf01f3a83529ed SHA-256: f0ab7f989510adb9b0566a47f781b971477114d195e73a41704e9502a990a2f0
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains an embedded link that points to a known malicious redirector. The ML classifier also flagged this PDF with high confidence. The primary attack vector appears to be luring the user to click the malicious URL, which is likely intended to deliver a secondary payload or conduct a phishing attack. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+%D0%BC%D1%83%D0%B7%D1%8B%D0%BA%D1%83+%D1%80%D0%B5%D0%BB%D0%B0%D0%BA%D1%81&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802483_kak__pravilno__zapolnit_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802442_programmuy__chitalki__dlya_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802413_zadachnik__po__fizike_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00054427.bin
83054b7483edc90810a61e372b1b0b1c9d9b6adadb836f56683f711ecff28159		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54427 10504 bytes
font_01_sfnt_off00056096.bin
e45e03cebbc450d86b60a18fdcb068081c8a97409185fb69081f1ab79046d663		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56096 12868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.