Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2e15142ee17f11a…

MALICIOUS

PDF

341.3 KB Created: 2015-08-23 20:54:44 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6) First seen: 2020-09-24
MD5: f0186dd891e7e86f479d2fddbf3d9ba3 SHA-1: 9a77e9571cde9e4a7b96d435bb198aeb0e7756f3 SHA-256: b2e15142ee17f11aaaaafb115e5ed3c13ae5762034d63737e548c8147defb965
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious by a machine learning classifier and contains a link to a known malicious redirector infrastructure at botcraftman.ru. This suggests the document is designed to lure users to a harmful website. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%9F%D0%BE%D1%88%D0%BB%D1%8B%D0%B5+%D0%B2%D0%BE%D0%BF%D1%80%D0%BE%D1%81%D1%8B+%D0%B4%D0%B5%D0%B2%D1%83%D1%88%D0%BA%D0%B8&charset=utf-8 In PDF document text
    • http://img0.liveinternet.ru/images/attach/c/6//4690/4690035_80211n__wlan__adapter_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/6//4690/4690044_veronika__rot__alligent_.pdfIn PDF document text
    • http://img0.liveinternet.ru/images/attach/c/6//4690/4690054_skachat__tv__pleer_.pdfIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00050f67.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50F67 8216 bytes
SHA-256: f153be13f02febee7e214a2b17527d3be2ed242a315bbc0dfbdad8cfea90bf25
font_01_sfnt_off000526e3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x526E3 15256 bytes
SHA-256: 29f7eff688a2ec8365e6715f5afd18b6b0e85a51e86bce5025ccb6dcabedd4d0