Malicious PDF — malware analysis report

Static analysis result for SHA-256 44b6ea12e5d6a604…

MALICIOUS

PDF

300.5 KB Created: 2015-08-24 00:05:35 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 29b29c6766ee16c3422f51ba84a7edbb SHA-1: aff74ada2f704f659b76ebe0e35aa8650eaae935 SHA-256: 44b6ea12e5d6a604967122ba138003551ea92e66e580df70b1444f31ce2a082e
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and contains a link to a known malicious redirector infrastructure. The embedded URL, http://botcraftman.ru/?lip&keyword=%D0%98%D0%BD%D1%81%D1%82%D1%80%D1%83%D0%BA%D1%86%D0%B8%D1%8F+4btx940lcd&charset=utf-8, is the primary indicator of malicious intent. The document body is heavily obfuscated and does not provide clear textual clues, but the presence of the malicious URL strongly suggests a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7490

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%98%D0%BD%D1%81%D1%82%D1%80%D1%83%D0%BA%D1%86%D0%B8%D1%8F+4btx940lcd&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693126_igruy__dlya__telefona_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693200_skachat__steam__api_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693462_skachat__programmu__dlya_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000467af.bin
4d237f1479dfda240d6df6c56e7bb00946ab22aaa7616f3ec9f20c776707e252		 pdf-font-stream PDF embedded font (sfnt) at offset 0x467AF 8880 bytes
font_01_sfnt_off000481a6.bin
e103922e18be8fa819dea40a3c7b59a04935c88e31870a6ad85d9360662b7425		 pdf-font-stream PDF embedded font (sfnt) at offset 0x481A6 16584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.