Malicious PDF — malware analysis report

Static analysis result for SHA-256 de03ec09bb141ab3…

MALICIOUS

PDF

363.2 KB Created: 2015-08-21 09:22:48 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: ba540ea51514cdbe170a2eacb94fb2c9 SHA-1: a4f6ec1ba3ef5a31ce6995d3d565b3d79d382b5f SHA-256: de03ec09bb141ab398bd108b666c1b2abd7cc3f9d0b117136607bb2f52776d45
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1071.001 Web Protocols

The PDF contains an embedded JavaScript stream and a malicious redirector link pointing to botcraftman.ru. This indicates the document is designed to lure the user to a potentially harmful website. The ML classifier strongly supports the malicious nature of this PDF. The presence of embedded JavaScript suggests an attempt to execute code or perform further malicious actions upon opening.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BF%D1%80%D0%BE%D1%88%D0%B8%D0%B2%D0%BA%D0%B0+%D1%80%D0%B5%D1%81%D0%B8%D0%B2%D0%B5%D1%80%D0%B0+%D1%82%D1%80%D0%B8%D0%BA%D0%BE%D0%BB%D0%BE%D1%80+dre+5000&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654768_rep_pro_lager_tekst.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654722_vyacheslav_dobruynin_diskografiya_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654803_devushka_davit_krolika.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005649b.bin
e367d14587ec566ddff3a40891a26628134088a17d0255ef4343084e41d5f65b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5649B 9392 bytes
font_01_sfnt_off00057ea8.bin
d6c9f8abd4da4f2b7b028d854ec32f5f1cc5a87b7fc0d7fe335511b4cba8aa46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57EA8 14576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.