Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee6cd517c485ea99…

MALICIOUS

PDF

371.0 KB Created: 2015-08-22 09:22:56 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 43c3efe25c73e2a3541370ac7e66573c SHA-1: c01fd926e9c3e45018a1d2e3d6e27a5615d2656d SHA-256: ee6cd517c485ea9928ef0794ace26f7e11c88a4d6826fc1c5d9dc449dfc25a96
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a link to a known malicious redirector at http://botcraftman.ru/. This suggests the document is designed to lure the user to a malicious website, likely for phishing or malware delivery. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the specific lure.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=3+doors+down+%D0%B4%D0%B8%D1%81%D0%BA%D0%BE%D0%B3%D1%80%D0%B0%D1%84%D0%B8%D1%8F+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%82%D0%BE%D1%80%D1%80%D0%B5%D0%BD%D1%82&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4674/4674794_plakatuy_k_1_sentyabrya_skachat_besplatno.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4674/4674743_randevu_s_neznakomkoy_klubnika_poderevenski_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4674/4674554_skachat_makros_dlya_x7_warface_besplatno.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00058151.bin
589f78f12e2150eaa2059362924c537fbf0659f6f2bf6a17a6605edc0f1dcbf5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58151 9332 bytes
font_01_sfnt_off00059c73.bin
1756ec3c1694ed24d763aac6656b4bfad73ecbe1a3b19ff3b8220fca38e0e537		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59C73 15744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.