Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e116ade37329656…

MALICIOUS

PDF

374.9 KB Created: 2015-08-26 11:59:51 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: baa89a2da6742fc5b332299c8e6bf9e3 SHA-1: 745a5665c29fce0acb52ed0c9e512ef9c0105507 SHA-256: 2e116ade373296561058b7654d11c7fad8862c9799449e55861b71640b7e746d
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains an embedded JavaScript stream and a critical heuristic firing for a malicious redirector link. The link points to 'botcraftman.ru', which is flagged as malicious. The document body, though heavily obfuscated, contains strings related to software licensing ('Passware windows key enterprise edition rus'), suggesting a lure to obtain pirated software or credentials. The presence of embedded JavaScript further supports the malicious intent, likely to execute further malicious actions upon redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=passware+windows+key+enterprise+edition+rus&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4753/4753542_karta__goroda__rubcovska_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4753/4753723_otvetuy__na__egye_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4753/4753238_dolby__digital__skachat_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005937d.bin
f82cda705e0eb78068b010178bb5325c270b9c38901024a43da1afc47a919759		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5937D 8488 bytes
font_01_sfnt_off0005ab31.bin
e64e3e60b305817408191e42f0a2f45fa33dcadf1e8d5c44b31e99771a761201		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AB31 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.