Malicious PDF — malware analysis report

Static analysis result for SHA-256 daa64e7cf6ea693b…

MALICIOUS

PDF

379.1 KB Created: 2015-08-19 14:28:18 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: a06ff30d3a0b29e4ee9b47882e8430d7 SHA-1: 05314bd8ff3dd6bac2d487f912d7cd5708e34938 SHA-256: daa64e7cf6ea693b2f1fea09b651ecadf64c6d47c469f44bfb72f05e6473b3b6
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a critical heuristic firing indicating a link to known malicious redirector infrastructure. The ML classifier also flagged this PDF with high confidence. The embedded URL points to botcraftman.ru, which is likely used to host further malicious content or redirect to a phishing page. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%94%D1%80%D0%B0%D0%B9%D0%B2%D0%B5%D1%80%D0%B0+%D0%BD%D0%B0+%D0%BC%D0%B8%D0%BA%D1%80%D0%BE%D1%84%D0%BE%D0%BD+sven+mk+200&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626779_skachat_ucp_81_dlya_css_v34.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626926_skachat_instrukciyu_regulirovka_klapanov_na_daf_95_ati.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4496/4496737_samouchitel_levina_android_na_planshetah_i_smartfonah_skachat.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005a3c8.bin
e4f964028cd4bb99f7e62e4eb6d2fe9d5976322f892bf5103a2342fc032c4890		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A3C8 9252 bytes
font_01_sfnt_off0005be87.bin
cd268e0f728863a668d5e7803a2525c143fafec881e69375281bc6b3ff797d76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE87 14656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.