Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2134fa03a066723…

MALICIOUS

PDF

391.1 KB Created: 2015-08-26 18:50:24 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 8148a372b9ff894d7b69b35daaf9d908 SHA-1: ab35f86d85df6986c33bb96a48f995332659b666 SHA-256: d2134fa03a066723bb4188360c5112db90233ae8bfb3c9cfa88a29d0d66e678a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating it links to known malicious redirector infrastructure. The ClamAV detection further confirms its malicious nature as a dropper. The primary malicious IOC is the embedded URL, which likely serves as the initial stage for delivering further malware. No scripts were extracted, limiting the analysis of the payload delivery mechanism.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • ClamAV: Pdf.Dropper.Agent-8649073-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-8649073-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%9D%D0%B0%D1%83%D1%87%D0%B8%D1%82%D0%B5%D1%81%D1%8C+%D0%BC%D1%8B%D1%81%D0%BB%D0%B8%D1%82%D1%8C+%D0%B8+%D1%80%D0%B8%D1%81%D0%BE%D0%B2%D0%B0%D1%82%D1%8C+%D0%BA%D0%B0%D0%BA+%D0%9B%D0%B5%D0%BE%D0%BD%D0%B0%D1%80%D0%B4%D0%BE+%D0%B4%D0%B0+%D0%92%D0%B8%D0%BD%D1%87%D0%B8doc&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4762/4762117_proshivka__dlya__nokia_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4762/4762279_arcon__200502__russkiy_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4762/4762367_skachat__igru__city_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005d40e.bin
094bf4bc7d8d6ce333840221b29ed6ad041fbe5c95fa763889c1806e4a7e5268		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D40E 8656 bytes
font_01_sfnt_off0005ec82.bin
e24b69a79a291610e3f5bcc91b153bb1dc4caa9ce7987a4f8cc0f836f97bd330		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EC82 15712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.