Malicious PDF — malware analysis report

Static analysis result for SHA-256 958aee31b8018914…

MALICIOUS

PDF

187.2 KB Created: 2015-07-26 10:15:35 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 5366a22c8d085f52a00b67439d327cf9 SHA-1: 15335a84c930fe71c25d4bc97118f700c32a37bf SHA-256: 958aee31b80189147b15baa54cbc545430a792f2e053a082aa829b88aa088c70
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a direct link to a known malicious redirector, botcraftman.ru. This indicates the document is likely a lure to direct users to a malicious website for phishing or malware distribution. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific lure. The primary IOC is the malicious URL.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%BF%D0%B0%D1%81%D1%8C%D1%8F%D0%BD%D1%81+%D0%BF%D0%B0%D1%83%D0%BA+%D0%B4%D0%BB%D1%8F+windows+7+%D0%BD%D0%B0+%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%BE%D0%BC+%D1%8F%D0%B7%D1%8B%D0%BA%D0%B5+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/5//4195/4195101_skachat_film_teleport_2_cherez_torrent_v_horoshem_kachestve.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184916_probnuyy_egye_po_istorii.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4215/4215146_audiokniga_nebesnaya_911_robert_stoun.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_048_off0002ac64.bin
05b227fe85f84bc95a3bd922ca689dfeeeed138dff69b67116c5e32a4f05c3a0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2AC64 7692 bytes
font_00_sfnt_off00024644.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24644 3556 bytes
font_01_sfnt_off000253c7.bin
49a5d585308130c701f84c3df08214d0946719a60a10c482b3b289c4ad960f50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x253C7 14404 bytes
font_02_sfnt_off00028144.bin
9d90e18ee50434addfa8c210065a1461feda93b1cad23cebf91f15991c29ade2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28144 14584 bytes
font_04_sfnt_off0002c31f.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C31F 6084 bytes
font_05_sfnt_off0002d2b4.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D2B4 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.