Malicious PDF — malware analysis report

Static analysis result for SHA-256 997393e895dea2e8…

MALICIOUS

PDF

360.2 KB Created: 2015-08-26 10:10:03 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 3e24cf457de01a8859c7f98215b00a2c SHA-1: 4aab95e8266a694972d491ccdc8a6bf5dc819e4e SHA-256: 997393e895dea2e818107b5a6a503c55ade61d0c5a03799499e7817cf49a1112
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, indicating it is used to lure users to a harmful site. The document body is heavily obfuscated and unreadable, providing no further context on the specific lure. No scripts were extracted from this sample. The primary IOC is the malicious URL found within the PDF.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%B0%D0%BC%D0%BE%D1%83%D1%87%D0%B8%D1%82%D0%B5%D0%BB%D1%8C+%D0%BA%D0%BE%D1%80%D0%B5%D0%B9%D1%81%D0%BA%D0%BE%D0%B3%D0%BE+%D1%8F%D0%B7%D1%8B%D0%BA%D0%B0+%D0%B4%D0%BB%D1%8F+%D0%BD%D0%B0%D1%87%D0%B8%D0%BD%D0%B0%D1%8E%D1%89%D0%B8%D1%85&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4751/4751810_klyuch__k__igre_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4751/4751921_lovi__video__skachat_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4751/4751819_kursovaya__rabota__na_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00055bb6.bin
50c750d13f4f83971f3746ca1110bc1fec6ecad2252144e8a0ffeef6dd9ddb21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55BB6 8944 bytes
font_01_sfnt_off00057512.bin
7092ee597c400deec6297356f6d9d211f9a3258aa85f53c6e5dc443da3354118		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57512 13980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.