Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4db8291433b7dbc…

MALICIOUS

PDF

372.1 KB Created: 2015-08-21 09:26:56 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 70cdbc2ed2006b2629492c1321aa5fe2 SHA-1: f05dcf71afbcc4d15fac199b6951b46bdd8a3658 SHA-256: e4db8291433b7dbcb83eba9a84738ad771a1fff52f74559182b4a21deba613bd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious due to a critical heuristic firing for a link to known malicious redirector infrastructure. The embedded URL, http://botcraftman.ru/..., is the primary indicator of malicious intent. No scripts were extracted, and the document body was heavily obfuscated, preventing further analysis of its specific lure. The file's purpose is likely to redirect users to a malicious website for phishing or malware delivery.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%BF%D1%80%D0%BE%D1%85%D0%BE%D0%B6%D0%B4%D0%B5%D0%BD%D0%B8%D0%B5+%D0%B8%D0%B3%D1%80%D1%8B+%D1%81%D1%82%D0%B0%D0%BB%D0%BA%D0%B5%D1%80+%D0%BD%D0%B0%D1%80%D0%BE%D0%B4%D0%BD%D0%B0%D1%8F+%D1%81%D0%BE%D0%BB%D1%8F%D0%BD%D0%BA%D0%B0+2015&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654777_rezultatuy_egye_po_istorii_2015_orenburgskaya_oblast.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654822_skachat_virtualnuye_barabanuy_na_kompyuter.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4654/4654811_karta_germanii_dlya_navitel_skachat_besplatno.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000585b0.bin
d3d22295b5a5b17d30883c7ca8e247d759ba084193576999d16d89ac3c0fd973		 pdf-font-stream PDF embedded font (sfnt) at offset 0x585B0 8600 bytes
font_01_sfnt_off00059f06.bin
494db8722e8246b6c0efe26d9c841f7ea4163926b162256fcf480d4aafc0981f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59F06 15788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.