Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cbd3561cccf9d8c…

MALICIOUS

PDF

361.7 KB Created: 2015-08-25 22:16:05 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6) First seen: 2021-08-25
MD5: 6fa23d6c0f04f201b4dae37001944358 SHA-1: 0ef91bb1ebb62161d033a1031dd1ecd745d22784 SHA-256: 7cbd3561cccf9d8c41ffe9599d8dbd1b25f594a7d15e3af93db0c9274adf4768
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link to a known malicious redirector, botcraftman.ru, which is designed to lure users with keywords related to downloading games. This indicates a phishing or scam attempt, likely using the document as an attachment in a spearphishing campaign. No scripts were extracted, but the presence of a malicious redirector is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9851

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+real+racing+3+%D0%BD%D0%B0+%D0%B0%D0%BD%D0%B4%D1%80%D0%BE%D0%B8%D0%B4+%D0%BC%D0%BD%D0%BE%D0%B3%D0%BE+%D0%B4%D0%B5%D0%BD%D0%B5%D0%B3+%D0%B8+%D0%B7%D0%BE%D0%BB%D0%BE%D1%82%D0%B0&charset=utf-8 In PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4740/4740636_skachat__kartuy__na_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4740/4740715_nero__6__skachat_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/7//4740/4740564_navigacionnuye__programmuy__dlya_.pdfIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00055c3d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x55C3D 9388 bytes
SHA-256: 3987cd79faec5dd7c3565315a770fb2b2c450f0b1240531563a0cb50392d08d2
font_01_sfnt_off0005766a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5766A 15580 bytes
SHA-256: 814dc57b2c8e2f93ca9a8c7835ee76120d92d5b587d36e8bbf5fea647d2fa22f