Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbdac51bf951458b…

MALICIOUS

PDF

381.4 KB Created: 2015-08-27 23:46:03 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 4825b875c2bafc5bfa70ac76e48544e6 SHA-1: fa298dafb2c436818cf805f532127bcc9d019def SHA-256: cbdac51bf951458ba5db5fa39e5bea8661ce682b4659df7ae9a53b3f89811463
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as a malicious redirector due to its embedded link to botcraftman.ru. This URL is known to point to malicious infrastructure. The document body is heavily obfuscated and does not provide clear textual lures. No scripts were extracted from this sample. The primary attack vector appears to be the malicious URL, which is likely used to redirect users to a harmful destination.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=straightforward+pre-intermediate+teachers+book+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4788/4788020_skachat__mod__povelitel_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4788/4788085_dogovor__arenduy__kafe_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4788/4788002_detskaya__klassicheskaya__muzuyka_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005a564.bin
0b60548fe1eeedc5dcb68250909d3e6e6379f90fb143aade92ede1731eb7af72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A564 10244 bytes
font_01_sfnt_off0005c1c8.bin
b1bdf8fa5189c35e330fed281f4e7f1e5129b2df3a0acc5ce6b2517fbbee11e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C1C8 17112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.