Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f85517eb42f8393…

MALICIOUS

PDF

192.0 KB Created: 2015-08-08 11:44:34 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 1612fa4b0fb1454cb53d12d93cffdc2f SHA-1: 1a87be29f8eb2589b1d5451716eff65fce94583d SHA-256: 9f85517eb42f8393d593147ed155065c276c785cf1f00c91e57d55f1d619b895
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a critical heuristic for linking to known malicious redirector infrastructure. The ML classifier also strongly indicated maliciousness. The embedded URL points to botcraftman.ru, which is associated with malicious redirects. No scripts were extracted, but the presence of a malicious link suggests a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=3+d+%D0%B8%D0%BD%D1%81%D1%82%D1%80%D1%83%D0%BA%D1%82%D0%BE%D1%80+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/6//4385/4385299_zhurnal_foma_skachat.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4388/4388460_undelete_plus_portable_298_rus.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4388/4388098_50_ottenkov_svoboduy_audiokniga_na_russkom_skachat_torrent.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00025bea.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25BEA 3556 bytes
font_01_sfnt_off0002696d.bin
bea44c5d4de59206117c65763da88767f8f9a71ee3b6468bdb90cf8f55fa5ca4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2696D 15424 bytes
font_02_sfnt_off0002991e.bin
54a9def00a75807df7245774544ce9570a28c7fcb87478bb619e965107c3684a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2991E 14468 bytes
font_03_sfnt_off0002c3ca.bin
4a01c4be01dc78bccdcb2d720cff239a0a4836d4daf6b6341a1ea2bb3426a4f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C3CA 6404 bytes
font_04_sfnt_off0002d600.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D600 6084 bytes
font_05_sfnt_off0002e595.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E595 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.