Malicious PDF — malware analysis report

Static analysis result for SHA-256 053e581db7fa9603…

MALICIOUS

PDF

359.6 KB Created: 2015-08-28 17:58:56 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: d3daa83eef7067773d2976dc50c81703 SHA-1: 4333f1678d3e768b3327c35724b99f8e39ab19d4 SHA-256: 053e581db7fa96034bf9b7eee49a1df8e0315fb0b9c1df7f7c8d64155d60f9cf
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, botcraftman.ru, which is indicative of malware distribution or phishing campaigns. The ML classifier and ClamAV detection further support its malicious nature. While no scripts were explicitly extracted, the PDF structure and embedded link strongly suggest it's designed to lure users to a harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Dropper.Agent-8478786-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8478786-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B7%D0%B0%D0%B3%D0%BE%D0%B2%D0%BE%D1%80%D1%8B+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4809/4809666_avtobus__moskva__kamuyshin_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4809/4809691_nayti__vlyubitsya__i_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4809/4809463_raspisanie__avtobusov__telehanuy_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00055fd5.bin
17448824ef5df1e9db40a4c71635b386672c5c94e21c2e1cee8b642392fe282c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55FD5 7692 bytes
font_01_sfnt_off000575f2.bin
8fd7475d0f9e51ae27b8e55b34995b78d2788b05380327894de6f93ab43d6768		 pdf-font-stream PDF embedded font (sfnt) at offset 0x575F2 12700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.