Malicious PDF — malware analysis report

Static analysis result for SHA-256 9833b810385854ed…

MALICIOUS

PDF

339.6 KB Created: 2015-08-25 23:21:16 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: f5580a653ad28de5c8d6d2f8446b47cd SHA-1: ca58d0b4645deb2626120d25ad27b0fd8a063a86 SHA-256: 9833b810385854ed1bd5211926290641c7ce63fd91d68df8efd07d86a3694983
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, http://botcraftman.ru/, which is a strong indicator of malicious intent. The ML classifier also flagged this PDF with high confidence. No scripts were extracted, and the document body was heavily obfuscated, preventing further analysis of the specific lure. The primary attack vector appears to be the embedded malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+dota+2+%D1%87%D0%B5%D1%80%D0%B5%D0%B7+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4740/4740661_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4741/4741373_obrazec__zapolneniya__anketuy_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4741/4741181_chem__otkruyt__fayl_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00050ac0.bin
81da6c9543709aca26a2cf5cb4a740dfde14b87d4f827ef18c03622f67e8278a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50AC0 8308 bytes
font_01_sfnt_off0005223e.bin
8ba8f9de2cabe0f0d0698b9c33d1abdd6c9a6d88ac1540bb754d8e312dbf099a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5223E 14680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.