Malicious PDF — malware analysis report

Static analysis result for SHA-256 910ab6d9ca153813…

MALICIOUS

PDF

346.7 KB Created: 2015-08-28 01:23:32 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 703ecdd5b32e9cc3452a2ab324eb7f5c SHA-1: 91b62486c450b13cb026e62a4e6beaee4594f543 SHA-256: 910ab6d9ca153813fcbef73a84008fb182984a4ccdbbca7903a4a272f5b8730f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, botcraftman.ru. This indicates the document is likely part of a phishing or malware distribution campaign. The embedded link is the primary indicator of malicious intent. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific lure.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%88%D0%B0%D0%B1%D0%BB%D0%BE%D0%BD%D1%8B+%D0%BB%D0%B8%D1%81%D1%82%D0%B2%D1%8B+%D0%B2%D1%8B%D1%82%D1%8B%D0%BA%D0%B0%D0%BD%D0%BA%D0%B8+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4790/4790031_vlastelin__kolec__vozvraschenie_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4788/4788553_novosti__chituy__i_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4787/4787885_skachat__igru__luntik_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005292f.bin
b8cbe29318385e5b62cbbd34041e8a89c8ebb11bee1af06c21809e3846f82188		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5292F 7972 bytes
font_01_sfnt_off0005402b.bin
de8e66a5d93f2461137bb565c36620f99f068d05adfbfc2a09cb3eb30e72bcb8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5402B 13528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.