Malicious PDF — malware analysis report

Static analysis result for SHA-256 6dfc46f7d23d8f83…

MALICIOUS

PDF

187.0 KB Created: 2015-07-25 00:00:52 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 354394ad443516d9cb3a8115732b4c03 SHA-1: c6640a7a7bea07ab5b3eae45583f416e377d37f8 SHA-256: 6dfc46f7d23d8f83500397e18c4d558ca094f730fc955bd125a1899f3d36f9ff
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a critical heuristic firing for a malicious redirector link, pointing to botcraftman.ru. This URL is likely used to host or distribute malware, or to redirect users to phishing pages. The document body, though truncated, indicates it was generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs. The presence of embedded URLs advertising cracked software further supports a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • PDF link farm advertises cracked/pirated software medium PDF_CRACKED_SOFTWARE_LURE
    PDF contains many clickable links whose targets use cracked-software, keygen, serial-key, or warez vocabulary. These are SEO-spam lure documents that rank for software-piracy searches and route users to fake 'crack' download pages distributing potentially-unwanted programs, adware, or droppers. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=tnod+user+password+finder+15016+rus+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184819_pripyat_3d_yekskursiya_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4192/4192769_windows_xp_home_edition_sp2_skachat_torrent.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4185/4185383_skachat_serial_zakruytaya_shkola_2_sezon_cherez_torrent.pdf
    • http://www.microsoft.com/typography/fonts/You
    • http://www.microsoft.com/typography/fonts/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_048_off0002aafe.bin
762019a93ddf0f5521ceaa4d42bec1b27a54e9babada3a8dcb7ea49d7a361597		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AAFE 7896 bytes
font_00_sfnt_off000243a6.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x243A6 3556 bytes
font_01_sfnt_off00025129.bin
3401984d89a47058efcccb37845efca625141684ff938e1e117609a0d5af0c43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25129 14836 bytes
font_02_sfnt_off00027f38.bin
625cb064066f387a31b89145729fd37988dbfc3449bd75b44cc81612e4f7fa32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27F38 14812 bytes
font_04_sfnt_off0002c257.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C257 6084 bytes
font_05_sfnt_off0002d1ec.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D1EC 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.