Malicious PDF — malware analysis report

Static analysis result for SHA-256 d44b2340f0965f11…

MALICIOUS

PDF

363.4 KB Created: 2015-08-25 22:27:00 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: d7120b36487c4cb1fb243fe8ece29b83 SHA-1: 51ec4cd9c4e1c56d6f37f0f83e3023b08ac1efb3 SHA-256: d44b2340f0965f11ada8cf28b1e910b0e0b15c5147f7fef7694e74fdd8443a49
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, http://botcraftman.ru/, which is a strong indicator of malicious intent. The ML classifier also flagged this PDF with high confidence. The presence of embedded URLs and the critical heuristic firing suggest this PDF is designed to lure users to a malicious site, likely for phishing or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%80%D0%B0%D1%81%D0%BF%D0%B8%D1%81%D0%B0%D0%BD%D0%B8%D0%B5+%D0%B2%D1%80%D0%B0%D1%87%D0%B5%D0%B9+%D0%BD%D0%B5%D1%84%D1%82%D0%B5%D1%8E%D0%B3%D0%B0%D0%BD%D1%81%D0%BA&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/7//4740/4740575_volshebnaya__istoriya__zhasmin_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4740/4740871_skachat__igru__zvezdnuye_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4740/4740773_napravlenie__na__medosmotr_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00056283.bin
19995e083efeb1e5049c163819cd06a3188f88dbd7b9f9eea9267ab9af11331e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56283 9044 bytes
font_01_sfnt_off00057cab.bin
e5e2c9abe9d2bbaa828f3e5a2aaf05aae77cccb098283f2daf3bd14c5b5f7b83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57CAB 16128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.