PDF malware analysis — malicious · 2de8304748b2945c

MALICIOUS

PDF

348.0 KB Created: 2015-08-22 08:48:59 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)

MD5: fa181f9dd0a16b5af0536b3c2e8f688a SHA-1: 61f31ae039756d2ba1b523e4410f86b4c6572079 SHA-256: 2de8304748b2945ce3766cfe93725a09a519b2d08ca7ba0f64e00cb7079b581a

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains an embedded link to a known malicious redirector, http://botcraftman.ru/. This heuristic indicates the document is designed to lure users to a potentially harmful website. No scripts were extracted from this sample, limiting further analysis of its specific payload delivery or execution methods.

Machine Learning

Nyx PDF Classifier suspicious score 0.3304

Heuristics 2

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://botcraftman.ru/?lip&keyword=%D1%82%D0%BA%D0%BF+45-104-37-2008+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&charset=utf-8

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000524f9.bin` `e53c200d48770f395ac7a0e259321ad1abe36d0eb2e7a92158cc445315d78f99`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x524F9	10204 bytes
`font_01_sfnt_off0005424a.bin` `b6a974da0c972425a8084293f7348a2434890ebe15e44e1c7b2c309bb0b6f2f1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5424A	14688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.