Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bfec04ba147941d…

MALICIOUS

PDF

188.6 KB Created: 2015-07-24 09:08:31 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 613d10bf1fb18de4f7aa68a6d794b66d SHA-1: 1ee821dde93e3682fa3ef305f5fc0db195104cfa SHA-256: 6bfec04ba147941d5d4cfac3f677cd246607f7d47d1f7100a71e0eff2d5a3c8c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing indicating a link to known malicious redirector infrastructure. The embedded URL points to 'botcraftman.ru', which is associated with malicious activity. While no scripts were explicitly extracted, the PDF structure and the malicious link strongly suggest an attempt to lure the user to a compromised site for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B8%D0%B3%D1%80%D1%83+%D0%BC%D0%B0%D1%88%D0%B8%D0%BD%D0%B0%D1%80%D0%B8%D1%83%D0%BC+2+%D0%BD%D0%B0+%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+%D1%87%D0%B5%D1%80%D0%B5%D0%B7+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/5//4189/4189672_stiven_king_strana_radosti_skachat_besplatno_txt.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184503_skachat_java_dlya_maynkraft_152.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4185/4185127_licenzionnuyy_klyuch_navitel_skachat.pdf
    • http://www.microsoft.com/typography/fonts/
    • http://www.microsoft.com/typography/fonts/You

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024ce4.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24CE4 3556 bytes
font_01_sfnt_off00025a67.bin
3fc64d8e86ad192c84d3fe8b235fbfcbe5c71aea853dbfcaeb06099ec2d35c9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25A67 15100 bytes
font_02_sfnt_off00028913.bin
b394368be0fd7a42289feb4e4b8a8e8c9167ddce96a1aeb375362bbacb4b24ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28913 14520 bytes
font_03_sfnt_off0002b3e3.bin
628e3cffd93aaed7d53a429c32cd628aeedcee8a8c6a64c6027ebf353f20f4de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B3E3 7092 bytes
font_04_sfnt_off0002c883.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C883 6084 bytes
font_05_sfnt_off0002d818.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D818 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.