Malicious PDF — malware analysis report

Static analysis result for SHA-256 552ed91ebe709e72…

MALICIOUS

PDF

183.5 KB Created: 2015-08-08 10:50:02 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 603be209e57fda75a7dff998066aafea SHA-1: b4b46489e4d0e2b1cd4bf00ab1f506d25153a356 SHA-256: 552ed91ebe709e7254cc6b5301167257badee7d44a031b3db33279a3727191fd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged for containing a link to a known malicious redirector. This indicates a likely attempt to lure the user to a malicious website for phishing or malware delivery. The document body is heavily obfuscated and appears to be primarily image data, offering no further clues about the specific lure. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+itunes+9+%D0%B4%D0%BB%D1%8F+64&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/6//4385/4385282_drayver_videokontrollera_vga_sovmestimuyy_kod_28_skachat.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4385/4385717_shantaram_skachat_besplatno_na_android.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4383/4383732_delfinariy_na_russkom_ostrove.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_048_off0002a052.bin
ab0f730856b7bdda7dd4dbf9eb2fec28e7f04e315898c1b594c407588113f9cb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A052 6840 bytes
font_00_sfnt_off00023b0f.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23B0F 3556 bytes
font_01_sfnt_off00024892.bin
0eacf6747ea7da5e51a2b55950cfd397e3334e267999f1d9944b36c650ec4dda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24892 14420 bytes
font_02_sfnt_off00027546.bin
258e6316e029123682682033486b9ec180e14ae01eea79ac1b5df5a219d327af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27546 14576 bytes
font_04_sfnt_off0002b41b.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B41B 6084 bytes
font_05_sfnt_off0002c3b0.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C3B0 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.