Malicious PDF — malware analysis report

Static analysis result for SHA-256 21ecab795c3b1736…

MALICIOUS

PDF

353.5 KB Created: 2015-08-26 19:44:38 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: c5c4378a4726b12bc4ede4b378cb56b4 SHA-1: 9eda13026c842c02b9450509b1e3fbb5596f5517 SHA-256: 21ecab795c3b1736ef28ed5bd9d7737b823850bd3e87818ec616187e360e984d
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, botcraftman.ru. This indicates the file is designed to lure users to a malicious site, likely for phishing or to download further malware. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, and the document body was unreadable.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9897

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D0%B0+%D0%B4%D0%BB%D1%8F+%D0%B7%D0%B0%D0%BF%D0%B8%D1%81%D0%B8+%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE+%D1%81+%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE%D0%BA%D0%B0%D0%BC%D0%B5%D1%80%D1%8B&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4762/4762388_skayrim__chit__na_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4762/4762164_windows__7__zver_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4762/4762543_vkontakteruclearwallv3_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00054075.bin
f449f677e1ed6ae27df7e9e554d2aaf70ab9483c35abc810eb279489061c1664		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54075 8196 bytes
font_01_sfnt_off000557ea.bin
9c6f06ad96e13ae79c7e5e2ef327fe6fcc65c31bcb3c8c32ef5826a2804e8cf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x557EA 15160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.