Malicious PDF — malware analysis report

Static analysis result for SHA-256 17efec6c7b7eb087…

MALICIOUS

PDF

345.1 KB Created: 2015-08-27 10:10:42 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 3a5d5eaaf07f453a94762d597587aede SHA-1: f617c2aa1e654a517f85234f246d1e2cb0e74b3d SHA-256: 17efec6c7b7eb087e9968008baf84fcd9954b4c920297cb002fb39ac356879c0
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a heuristic firing for a malicious redirector link, pointing to 'http://botcraftman.ru/'. This indicates an attempt to lure users to a potentially harmful website. While no scripts were explicitly extracted, the presence of embedded URLs and the ML classifier's high confidence suggest a malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B4%D1%80%D0%B0%D0%B9%D0%B2%D0%B5%D1%80+%D0%BF%D0%B0%D0%BA+2013&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4771/4771903_patti__smit__prosto_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4772/4772324_den__rozhdeniya__v_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4772/4772364_nvidia__geforce__gts_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00051b37.bin
66c66c79346d00b339e4d0eb93141da89a9e23dbadc3badcedcbf2c226b5077c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51B37 8540 bytes
font_01_sfnt_off000533e8.bin
a40f5d709a30ee79bc957b03e5059a873f02d5d08196049286f2bbf779f6821b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x533E8 15760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.