Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1e46824981ffc75…

MALICIOUS

PDF

362.9 KB Created: 2015-08-21 09:18:19 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 8147d5966d6eb7d6e968004c23e26e14 SHA-1: f8b79d98537222c26ccd5a38b284380fbfe63bfd SHA-256: d1e46824981ffc75442f90d8261c4fbc00dfcd8c6087dae895473f381e345960
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious due to a link pointing to a known malicious redirector infrastructure at botcraftman.ru. This suggests the document's primary purpose is to lure the user to a compromised or malicious site. No scripts were extracted, and the document body was heavily obfuscated and truncated, preventing further analysis of its specific content or intent beyond the malicious link.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=shellexecuteex+%D1%81%D0%B1%D0%BE%D0%B9+%D0%BA%D0%BE%D0%B4+1155&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654691_drayvera_dlya_pleera_qumo_boxon.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654704_24_demona_billi_milligana_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654677_skachat_gta_san_andreas_multipleer_03e_torrent.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000563cd.bin
09a857a4e8f9e0aaa4bb3c1c18bba99ae1b49bb42cc685ccb751f79669e454ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x563CD 8384 bytes
font_01_sfnt_off00057bc8.bin
94e60be7d8760e61f4e175abbaf013a3b115f2896b747cdc28b85647569eec6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57BC8 15612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.