Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c16abf6d20e3354…

MALICIOUS

PDF

185.0 KB Created: 2015-08-05 13:55:55 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 9a72cbd2b31fb33881b28b52f1b6b1c1 SHA-1: 10bb7c57c1a4585dc6b962b570d666a665df9afe SHA-256: 4c16abf6d20e3354bb6cfd9035efe0c0c01c577604736eb327ed9c82406a45c4
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF file was flagged by a critical heuristic for linking to known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. The embedded URL points to botcraftman.ru, which is associated with malicious redirects. No scripts were extracted from this sample, and the document body was not sufficiently readable to infer a specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%9C%D0%BE%D0%B4+%D0%BD%D0%B0+%D1%81%D0%B5%D0%BA%D1%81+%D0%B4%D0%BB%D1%8F+%D0%BC%D0%B0%D0%B9%D0%BD%D0%BA%D1%80%D0%B0%D1%84%D1%82+152&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/6//4304/4304431_payday_2_skachat_torrent_na_russkom_ot_mehanikov.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4304/4304708_itogovuyy_test_po_biologii_7_klass_s_otvetami.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4304/4304752_zayavlenie_ob_utochnenii_iskovuyh_trebovaniy_v_arbitrazhnuyy_sud.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023f3d.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23F3D 3556 bytes
font_01_sfnt_off00024cc0.bin
42f658a2b440995de0b7fd29e644e83ee85b139c4594c6b709bbc36e66bf5b07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24CC0 15140 bytes
font_02_sfnt_off00027b60.bin
cfe700f2d36c9099e036fab54dcb7a869333f3c3c99075ac04c4f40eaea759a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27B60 14640 bytes
font_03_sfnt_off0002a691.bin
d9ef1db7c800d8f9d7e0884f2ab8b360b69c9ac09460253cd725f613bdc905d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A691 6836 bytes
font_04_sfnt_off0002ba5f.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BA5F 6084 bytes
font_05_sfnt_off0002c9f4.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C9F4 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.