Malicious PDF — malware analysis report

Static analysis result for SHA-256 2042b207e3dd9453…

MALICIOUS

PDF

184.6 KB Created: 2015-08-08 10:46:04 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 3e954f12c50455ce7d6da8ab12026ecb SHA-1: 4c6b9f35f9b3f26b1e712ba0c844db8707d22c08 SHA-256: 2042b207e3dd9453bd8afd13e8a566cc1e5d9f601bd894337667f45ec1ed8ea3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, http://botcraftman.ru/, which is a strong indicator of malicious intent. This type of link is commonly used to direct users to phishing pages or to download further malicious payloads. No scripts were extracted from this sample, and the document body was heavily truncated and unreadable.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BE%D0%BF%D0%B5%D0%BD+%D0%BA%D0%B8%D0%B4%D1%81+%D0%B2%D0%B0%D0%B6%D0%BD%D0%BE+%D1%82%D0%B5%D0%BA%D1%81%D1%82+%D0%BF%D0%B5%D1%81%D0%BD%D0%B8&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/6//4385/4385522_domashniy_biznes_v_internete_skachat_besplatno.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4385/4385098_acronis_dlya_windows_8_skachat_besplatno.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4384/4384253_yemulyator_ipad_dlya_windows.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023fcf.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23FCF 3556 bytes
font_01_sfnt_off00024d52.bin
a216238fb79de036192c7c86661ea47da92cff6c27a93559ff26f2e3e3b9a825		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24D52 15124 bytes
font_02_sfnt_off00027c03.bin
b79d56b22a3d37edc4793e81e28af2d51416733c1decb699be69ae0b1e9dff38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27C03 14468 bytes
font_03_sfnt_off0002a6b2.bin
712a836e3ecfa179a6b96f2ce36f1a32776a05714d9e6185c083bc8a59adb8b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A6B2 6404 bytes
font_04_sfnt_off0002b8c8.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B8C8 6084 bytes
font_05_sfnt_off0002c85d.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C85D 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.