Malicious PDF — malware analysis report

Static analysis result for SHA-256 19f803d9e8e2f537…

MALICIOUS

PDF

184.3 KB Created: 2015-07-24 15:14:58 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 7aabb56b92a3b1433088f588c317bcf6 SHA-1: a503d533fc5ff02518c8f0a854fa2381caeb292a SHA-256: 19f803d9e8e2f53711531bc81a426ebf19e373835e1a1a752462e7d084c633db
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link that is flagged as a malicious redirector. The link's URL suggests a lure to download Windows 7, a common tactic for social engineering. No scripts were extracted, and the document body was not sufficiently readable to provide further context. The primary malicious indicator is the embedded URL pointing to known malicious infrastructure.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=live+cd+windows+7+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/5//4192/4192874_propellerhead_reason_7_skachat_torrent.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4187/4187456_dipak_chopra_idealnuyy_ves_skachat.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4185/4185148_vzlomannuyu_versiya_igra_igun_pro_na_android.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_048_off0002a49b.bin
f4e869bb190ec9ce2cba09dfbac14d10af1e8a8e1b06f2086860aa8d53220619		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A49B 6616 bytes
font_00_sfnt_off00023dd6.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23DD6 3556 bytes
font_01_sfnt_off00024b59.bin
cdc421d9a0d69886d3d39d69543c8b10a74505c7a78476e4b5c453d37142d349		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24B59 14904 bytes
font_02_sfnt_off00027951.bin
959a4541fa11e40f8aae0874cae20d37b5d0782ffd290d9fff081363308aa99d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27951 14632 bytes
font_04_sfnt_off0002b788.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B788 6084 bytes
font_05_sfnt_off0002c71d.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C71D 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.