Malicious PDF — malware analysis report

Static analysis result for SHA-256 537b48aaa29a63e4…

MALICIOUS

PDF

348.9 KB Created: 2015-08-21 09:20:38 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 248773b50e74a7f436150a362f58b470 SHA-1: e21e951caa1e432a1dc8057f29943a5f481a505f SHA-256: 537b48aaa29a63e405fb59a3b032a1305b46ca6574c97c72385fe8e05763ae1b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple heuristics, including a critical alert for a malicious redirector link to 'botcraftman.ru'. The ML classifier also strongly indicated maliciousness. The file is identified by ClamAV as 'Pdf.Dropper.Agent-8934867-0', suggesting it's designed to drop or execute other malicious content. The presence of a malicious URL indicates a likely phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Dropper.Agent-8934867-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8934867-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BE%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%B8%D0%B5+%D0%BE%D0%B1%D1%8A%D0%B5%D0%BA%D1%82%D0%B0+%D0%B7%D0%B0%D0%BA%D1%83%D0%BF%D0%BA%D0%B8+%D0%BF%D0%BE+44-%D1%84%D0%B7+%D0%BE%D0%B1%D1%80%D0%B0%D0%B7%D0%B5%D1%86&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654717_skachat_sabvey_serf_na_nokiya_asha_311.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654689_skachat_igru_metro_2034_cherez_torrent_besplatno_na_russkom.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654714_star_stable_online_na_russkom_skachat.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00052d97.bin
083b3ea47ec9108a3e9e9861ff0f9a51d80f67df9022a67c0953f869f2215bb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52D97 8264 bytes
font_01_sfnt_off000545f6.bin
a1f09cbcfc2aad3a94cd69244fd144f03581c66f325039010bffc022b75020fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x545F6 14848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.