Malicious PDF — malware analysis report

Static analysis result for SHA-256 2955a61b1b7e6c09…

MALICIOUS

PDF

136.6 KB Created: 2015-08-25 15:12:27 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: bcff982817615676d94eebf60a9db346 SHA-1: 5b2b1d3bf16d37f2cd3be31ff71bc66d531ffa03 SHA-256: 2955a61b1b7e6c0940cf142017af727a0ee16b25d1a74a750e7bddad9efadba8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was identified as an image-only lure, a common phishing technique. It contains a critical heuristic firing for a malicious redirector link, pointing to http://botcraftman.ru/?lip&keyword=3+d&charset=utf-8. This URL is the primary indicator of malicious intent, likely leading to further stages of an attack. No scripts were extracted, and the document body was unreadable.

Machine Learning

  • Nyx PDF Classifier clean score 0.1719

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 136 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=3+d&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4731/4731889_majesty__2__the_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4732/4732018_fifa__menedzher__2014_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4731/4731419_kosuynku__dlya__vindovs_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001eb6d.bin
4cc681e944a727b3707a34123c34aa59f29b7be3d0dd04c867e2088520edd735		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EB6D 7260 bytes
font_01_sfnt_off00020057.bin
ee9325391774214c0c60e6720a7e7ccab25bda4f2cda2cf9082273dbdd70670a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20057 10796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.