Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c84b7f192890730…

MALICIOUS

PDF

356.1 KB Created: 2015-08-23 21:00:05 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 332354b203221c852d84fab136318a94 SHA-1: 315b2fd468504f57acc7609bfdad14a7a5d6c1c2 SHA-256: 3c84b7f1928907302b6d284a7917cb1653b2422c427c8a9d47d7deca37514fa9
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector infrastructure, botcraftman.ru, which is likely intended to lead the user to a malicious site. The embedded URL is disguised within what appears to be garbled document content, suggesting an attempt to obscure its malicious nature. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=dead+rising+3+xbox+360+freeboot+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4690/4690110_soderzhanie__fayla__hosts_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4690/4690096_skachat__vzlom__wi_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4690/4690116_zabanili__v__chat_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000540df.bin
58deb273261b34850763338d99faab8bde936760bdee4789ece43a10e5ce3bc1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x540DF 10456 bytes
font_01_sfnt_off00055dfd.bin
0639be8628171ab89a5494c09afa2de8cbc824610e2ebc2fce3f0c18f37ef4b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55DFD 16612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.