Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6f26e6451c5a881…

MALICIOUS

PDF

186.5 KB Created: 2015-07-23 20:24:03 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 99c9dce2ec01f69c38a1ee377a516181 SHA-1: 3fe98f7b1a0691614d464b1d2daf91a20e84aff9 SHA-256: d6f26e6451c5a8815b4460fa110f6630e9a043dfa638f2ea7d4b556bcacce6ef
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing for a malicious redirector link pointing to botcraftman.ru. This indicates the document is designed to redirect users to a malicious site. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, and the document body was truncated, but the presence of the malicious URL is sufficient evidence of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B2%D0%BE%D0%B7%D0%B2%D1%80%D0%B0%D1%89%D0%B5%D0%BD%D0%B8%D0%B5+%D0%BD%D0%B0+%D1%82%D0%B0%D0%B8%D0%BD%D1%81%D1%82%D0%B2%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9+%D0%BE%D1%81%D1%82%D1%80%D0%BE%D0%B2+2+%D0%BA%D0%BB%D1%8E%D1%87&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184400_kallanetika_s_ekaterinoy_ruykovoy_skachat_besplatno.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184475_ppr_na_yelektromontazhnuye_rabotuy_skachat_besplatno.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4183/4183184_labirint_minotavra_shema.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00024584.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24584 3556 bytes
font_01_sfnt_off00025307.bin
fc0333f42ea73339be1c1a6640d4a1cc77002ff2d991af0583bfcce0855f841b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25307 14728 bytes
font_02_sfnt_off00028151.bin
99e9d0be55a0a8faf4a859c714f22f2f5d54fec4c23bd9692cb165f5354c4780		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28151 14680 bytes
font_03_sfnt_off0002ac18.bin
ac8bfbb8a1ac97c23eb7cd852e9c1c19bb0e4ccf8ddfb868a5c142ac59d9a8e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AC18 6960 bytes
font_04_sfnt_off0002c017.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C017 6084 bytes
font_05_sfnt_off0002cfac.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CFAC 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.