Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0dcb4ca3a04b0ab…

MALICIOUS

PDF

185.8 KB Created: 2015-07-23 20:22:10 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 64ea928ca69eaad9420e3c5cce242522 SHA-1: fc1271bab510dce2e4f696234bef449a8fd9be8a SHA-256: e0dcb4ca3a04b0ab4e3994cc18014211ae7c5ca5b60ebfc156db30d3553707a2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged for containing a link to a known malicious redirector. This indicates the document is likely a lure designed to redirect users to a malicious website for phishing or malware delivery. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific content. The primary IOC is the malicious redirector URL.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%A1%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%81%D0%BE%D0%BD%D0%B8+%D0%B2%D0%B5%D0%B3%D0%B0%D1%81+%D0%BF%D1%80%D0%BE+10+%D0%BD%D0%B0+%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%BE%D0%BC&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img1.liveinternet.ru/images/attach/c/5//4183/4183242_vertikalnuyy_finansovuyy_analiz_primer.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184501_skachat_zvuki_hodbuy.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4184/4184295_skachat_mp_flooder.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000243a7.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x243A7 3556 bytes
font_01_sfnt_off0002512a.bin
b5f276039487fc043a2dc370c139c4563f700ae056943f84fcd962dd6beac5d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2512A 14688 bytes
font_02_sfnt_off00027f18.bin
38289d23cad9be3616ee8da6c70791c855e02ac54892d17b3395a9fce63ab9be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27F18 14468 bytes
font_03_sfnt_off0002a9cc.bin
f02c6b3554e1ad303d97693ede6f751ac770eb265bfab180af6a6a87f66e11f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A9CC 6736 bytes
font_04_sfnt_off0002bd3b.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BD3B 6084 bytes
font_05_sfnt_off0002ccd0.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CCD0 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.