Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4d875e8c534b28c…

MALICIOUS

PDF

360.4 KB Created: 2015-08-19 13:51:53 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 41a0b1e1da62efe24a683542cca19dee SHA-1: f5e0bdd34321207aa37b8f6b1881ff31dec2f15c SHA-256: e4d875e8c534b28cacea4f4358d3460ad0434ef6012b4c2cd6ee6d2fbd338092
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link pointing to botcraftman.ru. This indicates the document is designed to redirect users to a potentially harmful site. The document body is heavily obfuscated and does not provide clear textual lures, but the presence of the malicious URL is sufficient evidence of malicious intent. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=igo+primo+2015+%D0%B4%D0%BB%D1%8F+%D0%B0%D0%BD%D0%B4%D1%80%D0%BE%D0%B8%D0%B4&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626603_gameplayer_skachat_na_android.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4496/4496726_verka_serdyuchka_vse_albomuy_skachat_besplatno_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626449_kak_aktivirovat_kod_produkta_origin_dlya_fifa_15.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00055374.bin
4b218f7fc875a7099b874ca09e263793a0558e5a8b10232c4fb113b7197cca22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55374 8652 bytes
font_01_sfnt_off00056c0d.bin
070e2fcc5b259ea2ce359998ded24a9a621613aa0d6789c6284206f4aa0d13b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56C0D 18356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.