Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c8ca5bdc6fcdb4f…

MALICIOUS

PDF

379.7 KB Created: 2015-08-28 11:39:29 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 936e7808383cce065a9d11806164eaba SHA-1: 1d331433ac54122c561706840b8305704d5b2474 SHA-256: 8c8ca5bdc6fcdb4fbc70304022700e6baba763b0f55242c1b268662ddc12d8eb
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains an embedded JavaScript stream and a critical heuristic firing for a malicious redirector link. The link points to 'http://botcraftman.ru/', which is identified as known malicious infrastructure. This suggests the PDF is designed to redirect the user to a harmful website, likely for phishing or malware distribution.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B4%D0%B5%D1%82%D0%B8+90-%D1%85+%D0%B2%D1%81%D0%B5+%D1%81%D0%B5%D1%80%D0%B8%D0%B8&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802408_flash__player___.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802377_doktor__kto__19631989_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4802/4802386_skachat__gta_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005a4c4.bin
ad9bbecac0e23f65c555faa1a27f30198c39aed7bc2c700bf60c90dd21423f98		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A4C4 8536 bytes
font_01_sfnt_off0005bc3c.bin
fad544f009b1285842995d7f592c25c9fccabe889b9ce454279f6985f08d6bd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BC3C 16820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.