Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bf7c5372d9d1e3b…

MALICIOUS

PDF

390.5 KB Created: 2015-08-26 09:50:43 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 91b7c3a58bfa3e573d07cdb06ac1e8c6 SHA-1: 7a2ab242c6fdfd8f5c34543ae899f71fc62da23f SHA-256: 2bf7c5372d9d1e3b17ffa4d3c6d4ca1935d0192ba5896fce227b3dcd8adaf889
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains an embedded link that points to a known malicious redirector. This heuristic indicates that the document is designed to redirect users to a potentially harmful website. No scripts were extracted from this sample, and the document body was heavily obfuscated and truncated, preventing further analysis of its specific content or intent beyond the malicious link.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%80%D0%B8%D0%BD%D0%B0%D1%82+%D0%B2%D0%B0%D0%BB%D0%B8%D1%83%D0%BB%D0%BB%D0%B8%D0%BD+%D0%B2+%D0%BA%D0%B0%D0%B6%D0%B4%D0%BE%D0%BC+%D0%BC%D0%BE%D0%BB%D1%87%D0%B0%D0%BD%D0%B8%D0%B8+%D1%81%D0%B2%D0%BE%D1%8F+%D0%B8%D1%81%D1%82%D0%B5%D1%80%D0%B8%D0%BA%D0%B0+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+fb2&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4751/4751635_holostyak__4__sezon_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4751/4751953_kak__sozdat__soderzhanie_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4751/4751828_kod__dlya__itunes_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005d20b.bin
510496f537028bc2e640e08517e0ec6cd944eed09a937f8658f432ee58a83022		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D20B 8684 bytes
font_01_sfnt_off0005eb8a.bin
8622fcb699a6329a1eb1249222c6396938add6421833a2b60815838d1402d759		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EB8A 14688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.