Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ed3486a3d5f8193…

MALICIOUS

PDF

338.1 KB Created: 2015-08-26 10:16:11 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 5b5dc76305e094fdeadfbf93731e1f3d SHA-1: 88b0be2565a4228f15878864bcf32ceb12ab0fc1 SHA-256: 2ed3486a3d5f8193ee273e0b09cfb0e10b1d8282e98dc1ef64aa415443a362e1
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains an embedded JavaScript stream and a critical heuristic firing for a malicious redirector link. The link points to 'http://botcraftman.ru/', which is known malicious infrastructure. This suggests the document is designed to redirect the user to a malicious site, likely for phishing or malware distribution. No specific family could be identified.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%BF%D0%BE%D1%88%D0%BB%D1%8B%D0%B5+%D0%B0%D0%BD%D0%B5%D0%BA%D0%B4%D0%BE%D1%82%D1%8B&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4752/4752344_dnevniki__vampira__6_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4752/4752022_skachat__sbornik__rok_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4752/4752220_miluye__obmanschicuy__kniga_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000500bb.bin
171426077685e7b471ca7c80b92c8eef2bf064da18a58587057889876e8f4d0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x500BB 9900 bytes
font_01_sfnt_off00051cbd.bin
4f3e52f5aee2a699b0b2263d08c1dd7b95c30d8a59cbe40a7d170d0090404e14		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51CBD 13916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.