Malicious PDF — malware analysis report

Static analysis result for SHA-256 944fb99630455eaa…

MALICIOUS

PDF

361.7 KB Created: 2015-08-24 00:45:43 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 14e93693880c1022b21e3494844798e1 SHA-1: bcd9f460a15b5be93798546cc2339c5eb8829c7f SHA-256: 944fb99630455eaa2bd9053fd5d98f345fc1f6e9398d9716e7da99c63604ab3e
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and contains a link to known malicious redirector infrastructure. The embedded URL points to 'botcraftman.ru', which is associated with malicious activity. The document body is heavily obfuscated and unreadable, preventing further analysis of its specific lure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%A1%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+%D0%B3%D0%BE%D0%B2%D0%BE%D1%80%D1%8F%D1%89%D0%B5%D0%B3%D0%BE+%D0%BA%D0%BE%D1%82%D0%B0+%D0%BD%D0%B0+%D0%BD%D0%BE%D0%BA%D0%B8%D0%B0+5228&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693485_kak__aktivirovat__microsoft_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4694/4694413_cyfral__ccd__20_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693469_skachat__asku__na_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00055b0e.bin
f2f0d3378e891a23326e87e1ffd2874d5ed8e00d320992e2020536a4efee04d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55B0E 9832 bytes
font_01_sfnt_off0005775a.bin
87d7ede4f86278f5c56758d501453f06cc7fde11102b91e86088027bd999ccfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5775A 15960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.