Malicious PDF — malware analysis report

Static analysis result for SHA-256 970f387ecf191c94…

MALICIOUS

PDF

360.0 KB Created: 2015-08-21 09:24:50 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 535cdb1df6f92c17bc175d16432ec285 SHA-1: 3e329d7ae85966b890e6b35386a496d34115d3c9 SHA-256: 970f387ecf191c949b0e17ce60a87dd3500eb8756808dfdd9740710ff84985a7
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains an embedded JavaScript stream which is flagged as malicious. This script is responsible for redirecting the user to the URL http://botcraftman.ru/, which is known malicious infrastructure. The purpose of this redirection is likely to deliver a malicious payload or phish for credentials.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BA%D0%BE%D0%B4%D1%8B+%D0%BD%D0%B0+%D1%81%D1%82%D0%B0%D0%BB%D0%BA%D0%B5%D1%80+%D0%B0%D0%BF%D0%BE%D0%BA%D0%B0%D0%BB%D0%B8%D0%BF%D1%81%D0%B8%D1%81&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654816_dzheronimo_stilton_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654803_devushka_davit_krolika.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654737_instrukciya_po_ohrane_truda_yurista.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00055dae.bin
a11fd5c78b6e532c78e8c6a77f891d9cf1ac7a3331d27fd55b583ba11569bd09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55DAE 7912 bytes
font_01_sfnt_off0005746c.bin
b857478df7c1442f60243ece4bd724cca2a933b4fbe5077c78c6229d30879697		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5746C 13936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.