Malicious PDF — malware analysis report

Static analysis result for SHA-256 43e1d4df0179044a…

MALICIOUS

PDF

371.8 KB Created: 2015-08-27 23:43:35 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 1dbd28d6d541fc834dac209080a4fd9b SHA-1: 4ee3940ef81e85cff6cffb2732f49070cb8c1383 SHA-256: 43e1d4df0179044acab521988c5a629fb419e8f91a0dcd99ca3f0666dbecf458
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a critical heuristic for containing a link to a known malicious redirector at http://botcraftman.ru/. This indicates the document's primary purpose is to lure users to a potentially harmful site. The ML classifier also strongly indicated maliciousness. No scripts were extracted, and the document body was unreadable, so the attack pattern is inferred solely from the malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BD%D0%B8%D0%BA%D0%B8+%D0%BC%D0%B0%D0%B9%D0%BD%D0%BA%D1%80%D0%B0%D1%84%D1%82+%D1%81%D0%BE+%D1%81%D0%BA%D0%B8%D0%BD%D0%B0%D0%BC%D0%B8&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4787/4787835_skachat__igruy__na_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4788/4788012_50__ottenkov__svoboduy_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4787/4787808_planix__home__3d_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000589ce.bin
901f8fd316338b5149e91d11539346f025ffc0e222d73636df70250e47ed2f8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x589CE 8336 bytes
font_01_sfnt_off0005a1dd.bin
b11e94420d47e60bc4ab694e1d12accd24a2f3e02c8982023b05c44f2741a2f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A1DD 15260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.