Malicious PDF — malware analysis report

Static analysis result for SHA-256 e483d01493bfa753…

MALICIOUS

PDF

373.4 KB Created: 2015-08-24 02:05:49 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 5e1e7e69781f33afc9dc6f7286e896dc SHA-1: 3036bfb22ec8bf2e829f40541fd7753d3e5183d0 SHA-256: e483d01493bfa7539872dbd966be554d02f8f8b8d2a8858caef2a8753265377c
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains an embedded link to a known malicious redirector, http://botcraftman.ru/. This heuristic firing indicates the document is likely part of a phishing or malware distribution campaign. No scripts were extracted from this sample, and the document body was heavily obfuscated and truncated, preventing further analysis of its specific content or intent.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%B8%D1%81%D1%82%D0%BE%D0%BC%D0%B8%D0%BD%D0%B0+%D0%BC%D0%B0%D1%82%D0%B5%D0%BC%D0%B0%D1%82%D0%B8%D0%BA%D0%B0+4+%D0%BA%D0%BB%D0%B0%D1%81%D1%81+%D1%83%D1%87%D0%B5%D0%B1%D0%BD%D0%B8%D0%BA&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693956_kak__pit__kazhduyy_.pdf
    • http://img1.liveinternet.ru/images/attach/c/6//4693/4693756_masha__i__medved_.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4696/4696693_skachat__chit__matrix_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00058f55.bin
ffcaec58d6b68ec081f54c01b5a0d5890e2f3b5db026a305cb5c1e3bcddf955d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58F55 7588 bytes
font_01_sfnt_off0005a582.bin
10befe3214af01717ebcc0705c503d803f70009d980f8baf32d6bd6a6c9f4158		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A582 15640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.