Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fe1f142c339f6f6…

MALICIOUS

PDF

186.2 KB Created: 2015-07-24 15:30:48 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 13d9b9460538dcc86263f711b32ba5ee SHA-1: 09b37bdb52a25bb7322133c0e2417c21e09147b3 SHA-256: 9fe1f142c339f6f652adba86e37fd258149ed07c334f90a893cd0ea08ee48487
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a critical heuristic for containing a link to known malicious redirector infrastructure. The ML classifier also assigned a high probability of maliciousness. The embedded URL points to 'botcraftman.ru', which is associated with malicious redirector activity. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%BF%D0%B0%D1%81%D1%8C%D1%8F%D0%BD%D1%81+%D0%BA%D0%BE%D1%81%D1%8B%D0%BD%D0%BA%D0%B0+%D0%B4%D0%BB%D1%8F+win+7+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/5//4187/4187080_skachat_narezki_na_telefon_besplatno_novinki_2014.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4188/4188912_ccleaner_skachat_besplatno_na_russkom.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4192/4192025_videokarta_apcb_m3_94v0.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024423.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24423 3556 bytes
font_01_sfnt_off000251a6.bin
17a386003867dccfcf1e41c41b5abfb15f9d6d1669e432af07a41e4eeb605a29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x251A6 14796 bytes
font_02_sfnt_off00027f95.bin
1c4898f7b99ab2c11a56665cbefc08e5ceeacefee14a320507059f2fe56739af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27F95 14584 bytes
font_03_sfnt_off0002aab5.bin
fc799ef65d8d31244eb77cb8e68b53756a727d40e0720084a4bd56eb6e12df6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AAB5 6968 bytes
font_04_sfnt_off0002bed8.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BED8 6084 bytes
font_05_sfnt_off0002ce6d.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CE6D 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.