Malicious PDF — malware analysis report

Static analysis result for SHA-256 1fc778a5cf43e21d…

MALICIOUS

PDF

364.8 KB Created: 2015-08-24 00:23:43 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 6df8b2921a0a540a5fbf02169e265b51 SHA-1: 66b4720b3bf98d7ed33c68e591d7d14bb8942c83 SHA-256: 1fc778a5cf43e21dc6ea9a72a721106e0fdbdbd908d11e4eb3efe5dbc0867527
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a link to known malicious redirector infrastructure. The embedded URL 'http://botcraftman.ru/...' is confirmed as malicious. This suggests the document's primary purpose is to lure the user to this malicious site, likely for phishing or malware distribution. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+%D0%B8%D0%B3%D1%80%D1%83+%D0%BF%D0%B0%D0%BF%D0%B8%D0%BD%D1%8B+%D0%B4%D0%BE%D1%87%D0%BA%D0%B8+2+%D0%B5%D0%B4%D1%83%D1%82+%D0%BD%D0%B0+%D0%BC%D0%BE%D1%80%D0%B5+%D0%BD%D0%B0+%D0%B0%D0%BD%D0%B4%D1%80%D0%BE%D0%B8%D0%B4&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693371_pink__floyd__the_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4694/4694241_skachat__igru__spanch_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693690_tut__zaycev__net_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00056a47.bin
0c94e786ffbe039916e1d58cad0f717fdca1a6ac76f481701a5a217264967bfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56A47 8028 bytes
font_01_sfnt_off00058162.bin
62ee313fc776a9e7c927f1390b88b310877663ff829f16e0edd6edb0e1d85987		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58162 16536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.