Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e19732c32974d9a…

MALICIOUS

PDF

184.6 KB Created: 2015-07-24 11:58:54 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 3c76ce6cb6355470f123efae1460eeb3 SHA-1: 7098718f50e5fdff8c7ec5858ed9d44009cc3527 SHA-256: 3e19732c32974d9a56810d3c46314022ddd7f30bbe0ed4ac436d65a008123e00
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a link to a known malicious redirector. The embedded URL points to 'botcraftman.ru', which is flagged as malicious. This suggests the document's primary purpose is to redirect users to a harmful website, likely for phishing or malware delivery. No scripts were extracted, and the document body was truncated, limiting further analysis of the exact lure.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%9A%D0%BE%D0%BB%D0%BB%D0%B5%D0%B4%D0%B6+%D0%BC%D1%87%D1%81+%D0%B2+%D1%81%D0%BF%D0%B1&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/5//4186/4186164_shablon_tablichki_esli_vam_meshaet_moy_avtomobil_raspechatat.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4185/4185342_panov_misteriya_mesti_skachat_besplatno_fb2.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184698_skachat_diablo_3_torrent_na_russkom_yazuyke.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024094.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24094 3556 bytes
font_01_sfnt_off00024e17.bin
191b08d2920e36d2041fd4838fe529b543df10ec80718fbc3ff2484dcc8212cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24E17 14516 bytes
font_02_sfnt_off00027b7e.bin
fbe4af72ea4b6832e02f3a94d39805fe74296d1f62d5d4f3c350b4dd983b7d89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27B7E 14468 bytes
font_03_sfnt_off0002a62c.bin
841c678f5e190040fda3209f0bb0e71eaa7486169b28e6eb945601771251d9c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A62C 6460 bytes
font_04_sfnt_off0002b876.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B876 6084 bytes
font_05_sfnt_off0002c80b.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C80B 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.