Malicious PDF — malware analysis report

Static analysis result for SHA-256 182e90c56fc8576a…

MALICIOUS

PDF

345.9 KB Created: 2015-08-29 11:48:33 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6) First seen: 2021-11-24
MD5: 57742e2908fdc30ad13dbff757c27021 SHA-1: c2d4cd6b12bab4d7f8dc261fc213b959a330f4a1 SHA-256: 182e90c56fc8576aadc84ca0a2ae170d745294d54fb804944fc94e8678406f6c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing indicating a link to known malicious redirector infrastructure. The embedded URL, http://botcraftman.ru/, is likely intended to lead the user to a malicious site. While no scripts were explicitly extracted, the PDF structure and the malicious link suggest an attempt to lure the user to a compromised or malicious domain, potentially for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%98%D0%B3%D1%80%D0%B0+pou+%D0%BD%D0%B0+%D0%BD%D0%BE%D0%BA%D0%B8%D0%B0+5230&charset=utf-8 In PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4830/4830224_besplatnuyy__bonus__kod_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4830/4830680_mezza__vuydoh__v_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4830/4830668_skachat_.pdfIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000522c5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x522C5 8136 bytes
SHA-256: fe3175a741515fa4752b5bf0acfb1e2a37448324f31c08b0cc13ff531ebcc801
font_01_sfnt_off000539c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x539C2 15216 bytes
SHA-256: dc7db62280560deff7e8330e70d01113091a75591f776aef9eed373c9712420b

Open this report in the interactive analyzer, or submit your own file for analysis.