Malicious PDF — malware analysis report

Static analysis result for SHA-256 4db16950206a68ac…

MALICIOUS

PDF

379.1 KB Created: 2015-08-26 10:15:35 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 89a93e599cd07381d39063ce582167b0 SHA-1: 62e4daaa25a1c0375673d6b02d6a88d71b18238b SHA-256: 4db16950206a68ac5de3370d5097fbed9be05141fa4d5dc4f9e60a0f6e36368d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, botcraftman.ru. This indicates the document is likely part of a phishing or malware distribution campaign. No scripts were extracted, and the document body was heavily obfuscated, preventing further analysis of the specific lure. The file was generated by wkhtmltopdf, which is sometimes used to create malicious PDFs.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B4%D0%B5%D0%BC%D0%BE%D0%B2%D0%B5%D1%80%D1%81%D0%B8%D1%8F+%D0%B5%D0%B3%D1%8D+%D0%BF%D0%BE+%D0%B0%D0%BD%D0%B3%D0%BB%D0%B8%D0%B9%D1%81%D0%BA%D0%BE%D0%BC%D1%83+%D1%8F%D0%B7%D1%8B%D0%BA%D1%83+2015+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4752/4752211_daisy__5501__kak_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4751/4751883_krossvorduy__po__russkomu_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4751/4751857_ktp__1__klass_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005a61e.bin
c79523360bbbfdb8f4a8c52fbeada2f3e21bd2c201a544f0253aa1f7eb8c048f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A61E 8836 bytes
font_01_sfnt_off0005bfbe.bin
42c94c37eba8922788bd3eacb8b02b9da350315b566be723212a08cad14776c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BFBE 14812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.