Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c1aaca3350bef2d…

MALICIOUS

PDF

357.3 KB Created: 2015-08-28 19:00:44 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 6a417488dc5933738bfbdf64e63253ff SHA-1: b0483ddc7b8219908c99c539c6b817177e06c79b SHA-256: 7c1aaca3350bef2d876ff569669270ee7abac3ff6cf40b7f30faac6506151b30
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing for a malicious redirector link pointing to botcraftman.ru. ClamAV also detected the file as Pdf.Dropper.Agent-8935290-0. The embedded URL is likely used to lure the user to a malicious site for phishing or to download further malware. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Dropper.Agent-8935290-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8935290-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%BF%D0%BE%D1%80%D0%BD%D0%BE+%D0%B1%D1%80%D0%B0%D1%82+%D0%B5%D0%B1%D0%B5%D1%82+%D1%81%D0%B5%D1%81%D1%82%D1%80%D1%83&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4810/4810060_clock__watchdog__timeout_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4809/4809881_igruy__na__telefon_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4810/4810365_raspayka__naushnikov_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00054f09.bin
ddee5aede1cac0572b10d9571fa33a57cd919a13585579ef12c62d018fc37787		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54F09 7732 bytes
font_01_sfnt_off000565a7.bin
e05aea0c7609b89c95b219050026e54997006d2718c1835998539c5400d1ef66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x565A7 15844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.