Malicious PDF — malware analysis report

Static analysis result for SHA-256 a59432fa9281bae6…

MALICIOUS

PDF

346.8 KB Created: 2015-08-19 14:14:03 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 71a688609cfe5f952beafc36b610839a SHA-1: 498a30d08a069dd35ff06585a4870006091a6ea6 SHA-256: a59432fa9281bae684d5d5b8c0bbb0fcae24002b52301b9d6039ef91b29080da
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, http://botcraftman.ru/. This heuristic indicates the document is designed to lead the user to a potentially harmful site. The file's metadata suggests it was generated by wkhtmltopdf, a tool sometimes used to create malicious documents. No scripts were extracted, but the presence of the malicious URL is a strong indicator of malicious intent.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=Spore+dark+injection+v9&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626540_skachat_simulyator_makdonaldsa.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626667_skachat_obraz_vindovs_hr_zver_2014_cherez_torrent_dlya_fleshki.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626629_adobe_flash_professional_cs6_skachat_besplatno_russkaya_versiya.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00051854.bin
3069967a64093af4676846d224cc94582b884bf0b9ca580f15ac7b83f934f276		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51854 9964 bytes
font_01_sfnt_off000533c9.bin
ac216d2113d1d4c7370f550c1b067e1101b5eb4ae5ea1bf5bdf6f11750347129		 pdf-font-stream PDF embedded font (sfnt) at offset 0x533C9 18936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.