Malicious PDF — malware analysis report

Static analysis result for SHA-256 c25fb24801268ed3…

MALICIOUS

PDF

186.2 KB Created: 2015-07-24 04:16:34 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 3f178d52a02da5fafe1e22e0961a8459 SHA-1: 651a21bd6903cecec1aee86ba9cd425cb67e4ffc SHA-256: c25fb24801268ed38d5c11d622d935376f84324fcdf0ce3565bfd67b7de83783
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link to a known malicious redirector, botcraftman.ru. This link is presented in a way that suggests it is a download for software, likely to trick the user into clicking it. No scripts were extracted from this sample, and the document body was not readable. The primary threat is the malicious URL embedded within the PDF.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=adobe+after+effects+cs6+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82+32-bit&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/5//4187/4187707_moduy_ot_jove_dlya_world_of_tanks_092.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4187/4187586_marina_korpan_bodifleks_video_uroki_skachat_besplatno_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184349_fb2_knigi_skachat_besplatno_bez_registracii.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_048_off0002a8d9.bin
7ea1c70535045538dd2421f506b70d93709a4a57d6a4978ad34698353ead6334		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A8D9 7576 bytes
font_00_sfnt_off00024029.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24029 3556 bytes
font_01_sfnt_off00024dac.bin
1fa7f1a8a13824c4057ce67c2ebf6642cf0cf1b13cb465c551e934348e46d28a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24DAC 15216 bytes
font_02_sfnt_off00027d12.bin
5377840eade1193912af9ca9c7bdba1a2885b7836b9759ffd193e16e08bce214		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27D12 14808 bytes
font_04_sfnt_off0002bf1a.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BF1A 6084 bytes
font_05_sfnt_off0002ceaf.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CEAF 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.