MALICIOUS
60
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The PDF file contains a link to a known malicious redirector, http://botcraftman.ru/. This indicates an attempt to lure the user to a malicious site, likely for further exploitation or credential harvesting. No scripts were extracted, and the document body was unreadable, so the primary evidence comes from the embedded malicious URL.
Heuristics 2
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%BF%D1%80%D0%BE%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D1%83+%D0%B4%D0%BB%D1%8F+%D1%81%D0%B6%D0%B0%D1%82%D0%B8%D1%8F+%D0%BC%D1%83%D0%B7%D1%8B%D0%BA%D0%B8&charset=utf-8
- http://img1.liveinternet.ru/images/attach/c/7//4751/4751804_kak__nachat__sobstvennoe_.pdf
- http://img1.liveinternet.ru/images/attach/c/7//4751/4751528_obrazec__prikaza__ob_.pdf
- http://img1.liveinternet.ru/images/attach/c/7//4751/4751981_kryak__dlya__fifa_.pdf
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000550be.binbfd33852ca99a9208c01d6f8ae247d9341b5c063c91cba02ace2540eae0ba812 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x550BE | 8924 bytes |
font_01_sfnt_off00056a59.binf048db2af6c627657bbbebe0878a1db4e429eb5be19c8c2434af313aa1f71bd0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x56A59 | 12464 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.