Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f4991e8d883c153…

MALICIOUS

PDF

362.6 KB Created: 2015-08-19 12:12:14 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 0c40d35034a7999fd1c69844456f2c45 SHA-1: f43453fed75cae67543f91e1fa4b358621cb131e SHA-256: 3f4991e8d883c153a546d937d0341efb3a4ffd3d68d8be78f9d5dbabf68444be
90 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link

The PDF contains a heuristic firing for a malicious redirector link, which points to botcraftman.ru. The document body, though heavily truncated and containing non-readable characters, includes keywords related to 'game hacker' and 'download', suggesting a lure for malicious software. The primary IOC is the malicious redirector URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+game+hacker+%D0%BD%D0%B0+%D0%B0%D0%BD%D0%B4%D1%80%D0%BE%D0%B8%D0%B4+%D0%BD%D0%B0+%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%BE%D0%BC&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626433_uchebnik_tehnologiya_4_klass_rogovceva_skachat.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4496/4496739_moguchie_reyndzheruy_yarost_dzhungley_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626440_chitat_onlayn_hroniki_razdolbaya_2_spor_na_balu_volanda.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00055d81.bin
0444525db8218918e6ab0a5cc2e4bda1c3af18a8b9ba945d302c3f1f5307e672		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55D81 9800 bytes
font_01_sfnt_off00057880.bin
76216014ebbbd326ae6b5233f7c424f1922452132ef7ee5720fd60aaacbb8d15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57880 16184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.