Malicious PDF — malware analysis report

Static analysis result for SHA-256 eee78f3a14b3018e…

MALICIOUS

PDF

187.0 KB Created: 2015-07-27 00:33:16 +03:00 Authoring application: wkhtmltopdf 0.12.2.1 (via Qt 4.8.6)
MD5: 5bac4ea320d329ace40b16d197dd2f7b SHA-1: ff48f285aad5eb963e3f4c9636a525165dff44d7 SHA-256: eee78f3a14b3018e49108b64c14d7cc7e6cb9a906884d4f9f104e7cf33e67108
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a critical heuristic firing indicating a link to known malicious redirector infrastructure. The primary malicious URL identified is http://botcraftman.ru/. This suggests the document's purpose is to lure the user to this malicious site, likely for phishing or malware delivery. No scripts were extracted, and the document body was not parsable.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%A1%D0%BC%D0%BE%D1%82%D1%80%D0%B5%D1%82%D1%8C+%D0%B2%D1%81%D0%B5+%D0%BA%D0%B0%D0%BD%D0%B0%D0%BB%D1%8B+%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+%D0%BF%D1%80%D1%8F%D0%BC%D0%BE%D0%B9+%D1%8D%D1%84%D0%B8%D1%80&charset=utf-8
    • http://fastpic.ru/
    • http://www.liveinternet.ru/click
    • http://img0.liveinternet.ru/images/attach/c/5//4210/4210772_audiokniga_robert_allen_mnozhestvennuye_istochniki_dohoda.pdf
    • http://img1.liveinternet.ru/images/attach/c/5//4221/4221328_stalker_vse_chasti_po_poryadku_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/5//4210/4210996_skachat_igru_warcraft_4_cherez_torrent.pdf

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000248ce.bin
880e53e6f12106514012eaabb19a261b9f8ae03d695445fc59a5b9b5a1293281		 pdf-font-stream PDF embedded font (sfnt) at offset 0x248CE 3556 bytes
font_01_sfnt_off00025651.bin
5e0c578c88f7eec2cae09eb48269181bc08411b8705ebf82da2e61e5b9f8fbd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25651 14068 bytes
font_02_sfnt_off00028257.bin
1a803d94510109e1c0ca4497b007617bc54bc3871f99963dd6d053fab28c84d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28257 14468 bytes
font_03_sfnt_off0002ad0b.bin
e228eb80df1b5494371f7881d67899f1682b8dc25946a849a25687e77e26ce82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AD0B 7252 bytes
font_04_sfnt_off0002c21e.bin
819f9cc5156bfe3dae03045446d677a19b5879270357875344f9514601da73e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C21E 6084 bytes
font_05_sfnt_off0002d1b3.bin
9364d8c42993f0db1eb41a63b15a48dd56cef5056a611ab8e91dd81183a5a95e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D1B3 3752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.