Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f897ed3df621e90…

MALICIOUS

PDF

186.8 KB Created: 2015-08-08 13:14:12 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 1bd042c371bdc7e262010051b1abbbd2 SHA-1: 504aa84d8a761077cb119a08df738cab8dae03f5 SHA-256: 7f897ed3df621e9021b99f1688222ec93c9684bcef00fadabd164c9b9a4a1a15
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a critical heuristic firing indicating a malicious redirector link to 'http://botcraftman.ru/'. This URL is likely used to host phishing content or distribute malware. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the embedded URL is sufficient evidence of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BD%D0%B8%D0%BA%D0%BE%D0%BB%D0%B0%D1%81+%D1%81%D0%BF%D0%B0%D1%80%D0%BA%D1%81+%D0%BB%D1%83%D1%87%D1%88%D0%B5%D0%B5+%D0%B2%D0%BE+%D0%BC%D0%BD%D0%B5+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+fb2+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/6//4386/4386345_liberta_albano_i_ramina_pauyer_skachat_besplatno.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4388/4388337_nfp_2013_tablica_ballov.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4391/4391085_fs_videobox__windows.pdf
    • http://www.microsoft.com/typography/fonts/
    • http://www.microsoft.com/typography/fonts/You

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002457c.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2457C 3556 bytes
font_01_sfnt_off000252ff.bin
73909bda9e4d2176c5140b7cde6b0af504d561b7f993cdbc32eb9fa61b142eda		 pdf-font-stream PDF embedded font (sfnt) at offset 0x252FF 14656 bytes
font_02_sfnt_off00028150.bin
39921ee618710e5838ce3bb1567f690d40509e9b1b53585bfb2620520e7e7e09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28150 14752 bytes
font_03_sfnt_off0002acdf.bin
c433de49660f8bc5a90834efec378f0d5750c54e86a2bac225a3b88f498fd912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2ACDF 7076 bytes
font_04_sfnt_off0002c17d.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C17D 6084 bytes
font_05_sfnt_off0002d112.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D112 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.