Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f49eb54a9f4efee…

MALICIOUS

PDF

184.3 KB Created: 2015-07-23 21:08:28 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: d895593c924a36875377ca15bce56857 SHA-1: c578bd9ea7b4bb209ba6166c47784e7f51a6014f SHA-256: 6f49eb54a9f4efeee89be39449136c21c2e7ecba4048226b739ba6e3d3ec1ed4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a link to a known malicious redirector, botcraftman.ru, which is a strong indicator of malicious intent. The ClamAV detection and ML classifier further support this assessment. This type of PDF is often used to lure users to malicious sites to download further payloads or initiate phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Dropper.Agent-8787692-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8787692-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BB%D0%B8%D1%86%D0%B5%D0%BD%D0%B7%D0%B8%D0%BE%D0%BD%D0%BD%D1%8B%D0%B9+%D0%BA%D0%BB%D1%8E%D1%87+%D0%B4%D0%BB%D1%8F+%D0%BD%D0%B0%D0%B2%D0%B8%D1%82%D0%B5%D0%BB&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184794_osnovuy_reanimatologii_zaryanskaya_skachat.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184668_ati_mobility_radeon_hd_4570_drayver_skachat.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184723_radeon_x1650_series_drayver_skachat.pdf
    • http://www.microsoft.com/typography/fonts/
    • http://www.microsoft.com/typography/fonts/You

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00023e26.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23E26 3556 bytes
font_01_sfnt_off00024ba9.bin
bf9490c1dd61407af94fd8757a4316a152c6377cc5a39e8e25cb409400fc0ef8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24BA9 14732 bytes
font_02_sfnt_off00027944.bin
e68f81527f1cd5a6307854472862c4c4219a83f5c07265ef16b2cd24c96f1be3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27944 14468 bytes
font_03_sfnt_off0002a3f5.bin
bd0d249c24c9c2706200f665ad338aca9e82c9ceefdf27841a1b2ded16ea6b9d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A3F5 6844 bytes
font_04_sfnt_off0002b796.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B796 6084 bytes
font_05_sfnt_off0002c72b.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C72B 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.