Malicious PDF — malware analysis report

Static analysis result for SHA-256 98606f22e9cef41a…

MALICIOUS

PDF

353.4 KB Created: 2015-08-10 21:18:00 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 702e0a844b3a88e506a66b6fcbe60ef0 SHA-1: e0453fc37eabb1af35d92a0629c6d7d01c3c8663 SHA-256: 98606f22e9cef41ae37c984e4cf7578b98216183794c738c06d328ff907f9639
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, http://botcraftman.ru/, which is indicative of a phishing or malware distribution attempt. No scripts were extracted, and the document body was heavily obfuscated and truncated, limiting further analysis of the specific lure. The primary threat identified is the malicious redirector URL.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%87%D0%B8%D1%82%D1%8B+%D0%B4%D0%BB%D1%8F+%D0%BA%D0%BE%D0%BD%D1%82%D1%80+%D1%81%D1%82%D1%80%D0%B0%D0%B9%D0%BA+%D1%81%D0%BE%D1%83%D1%80%D1%81+v75&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4423/4423198_the_incredible_adventures_of_van_helsing_treyner.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4467/4467222_botuy_v_okope.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4459/4459888_bagi_na_zatochku_v_lineage_2_freya.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00053ee7.bin
8d1716ef4cd75107271de290fbffaf62ac18a7af4ccc47700e07410ccab955b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53EE7 6852 bytes
font_01_sfnt_off00055325.bin
b5fc96b66cffb4ca04a32a5afe8d7d5adc671a71e67591c1f6e0de141f08c1ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55325 16864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.