Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9e8bb3da3603595…

MALICIOUS

PDF

362.4 KB Created: 2015-08-19 14:05:49 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 3c4812311446870625fa0db1c81d04d1 SHA-1: 78c9823bc719995690b9b02e92bf6e69cfb098c7 SHA-256: d9e8bb3da36035951197d35ee1170dbec658a3dcb4e20f8250e7af71cc13fed7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as a malicious redirector due to the presence of a link to botcraftman.ru. This URL is known to lead to malicious infrastructure, suggesting the document's primary purpose is to lure users to a harmful site. No scripts were extracted, and the document body was heavily obfuscated, preventing further analysis of the specific lure.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%BF%D0%BE%D1%80%D0%BD%D0%BE+%D1%81+%D0%B6%D0%B8%D0%B2%D0%BE%D1%82%D0%BD%D1%8B%D0%BC%D0%B8+%D0%BD%D0%B0+%D1%82%D0%B5%D0%BB%D0%B5%D1%84%D0%BE%D0%BD&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626443_skachat_geym_haker_na_russkom_na_android.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4496/4496735_yekskursii_v_adlere_cenuy.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626499_rezultatuy_gia_po_matematike_2015_9_klass_po_pasportnuym_dannuym.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000566e0.bin
3cf0f01c67a8259d062cb36e0b457b2ba593b74f64dad618fac52a63381294ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x566E0 9288 bytes
font_01_sfnt_off000580f2.bin
b86bdede960dbab9539b781b0cc5999845a33c82924292fe28e55b79de11a839		 pdf-font-stream PDF embedded font (sfnt) at offset 0x580F2 12936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.