Malicious PDF — malware analysis report

Static analysis result for SHA-256 3be770b2d1b2b52b…

MALICIOUS

PDF

364.3 KB Created: 2015-08-21 09:18:45 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 427f906e33d78bbab6b92144c2f5f89d SHA-1: 818d9a6ccdfa28b0373b40d3b46e1c385eb19329 SHA-256: 3be770b2d1b2b52b288d2d6e6a0c835d97ec3cff169a8a96acee75bdb45242ae
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a heuristic firing indicating a link to known malicious redirector infrastructure. The embedded URL 'http://botcraftman.ru/...' is flagged as malicious. This suggests the document's primary purpose is to redirect the user to a potentially harmful website, likely for phishing or malware delivery. No scripts were extracted, limiting further analysis of the payload.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%A2%D0%B5%D0%BB%D0%B5%D1%84%D0%BE%D0%BD%D0%BD%D1%8B%D0%B9+%D1%81%D0%BF%D1%80%D0%B0%D0%B2%D0%BE%D1%87%D0%BD%D0%B8%D0%BA+%D0%B3%D0%BE%D0%BC%D0%B5%D0%BB%D1%8F+2014&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654714_star_stable_online_na_russkom_skachat.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654700_scenariy_otchetnogo_koncerta_vokalnogo_kollektiva.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654722_vyacheslav_dobruynin_diskografiya_skachat_torrent.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00056767.bin
15e64ef4bfb13101893717cf72dd9db0a19a2b26463adf216aa536850e49ca62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56767 9120 bytes
font_01_sfnt_off000581e7.bin
03c367b352d935071fcbbe8469b8707a3ea7e9f59b69e11029832ad4dbe36c2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x581E7 15480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.