Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0a7cb13412b5293…

MALICIOUS

PDF

186.6 KB Created: 2015-07-24 12:05:16 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 8e9f375aa2a6fd67f98384ab2e3e2281 SHA-1: 63fdc6d808c95df22bfb6fc319e184994779ed58 SHA-256: b0a7cb13412b5293f817c657d71929d9f0056da8d8282c0ce5ff3db6bd888d2b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains an embedded link identified as a malicious redirector. This suggests the document's primary purpose is to lure the user to a potentially harmful external resource. No scripts were extracted, and the document body was not sufficiently readable to infer further intent. The link is the most critical indicator of malicious activity.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%9A%D0%BE%D0%B4+%D0%B0%D0%BA%D1%82%D0%B8%D0%B2%D0%B0%D1%86%D0%B8%D0%B8+%D0%B4%D0%BB%D1%8F+3d+%D0%B8%D0%BD%D1%81%D1%82%D1%80%D1%83%D0%BA%D1%82%D0%BE%D1%80+2+2+7+%D0%B4%D0%BE%D0%BC%D0%B0%D1%88%D0%BD%D1%8F%D1%8F+%D0%B2%D0%B5%D1%80%D1%81%D0%B8%D1%8F&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/5//4192/4192266_skachat_varkraft_3_frozen_tron_126a_cherez_torrent.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4185/4185160_instrukciya_stinol_rf_nf_255.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4191/4191292_ghostbusters_the_video_game_skachat_torrent.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000244c0.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x244C0 3556 bytes
font_01_sfnt_off00025243.bin
caa5128e1d86a3f7a31f93f0fe024bdb846ea6e09e91d66da528bcfcf761b2ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25243 14880 bytes
font_02_sfnt_off00028092.bin
3459546b4c057fc9813cbc6599971ca1441a9ed7f7e722dd5c1fa4f7ed6be232		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28092 14568 bytes
font_03_sfnt_off0002ab8c.bin
a13a9244f186985a779952dcbf1d968efa0a2ed83167a0003fe4edf09a34ff8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AB8C 7176 bytes
font_04_sfnt_off0002c07d.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C07D 6084 bytes
font_05_sfnt_off0002d012.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D012 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.