Malicious PDF — malware analysis report

Static analysis result for SHA-256 f74dac70c9f7a804…

MALICIOUS

PDF

360.4 KB Created: 2015-08-25 15:15:48 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: 576f58e476e1fbf5258e600a8f2e198a SHA-1: c68969b9c2088b12a2c1f6f64c7760e61b91baed SHA-256: f74dac70c9f7a8047e9c1fc848df30d8a58eef636c8cf9538c3f46ea37957d72
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link to a known malicious redirector, botcraftman.ru. This indicates an attempt to lure the user to a harmful website. The document body contains garbled text and what appears to be metadata from the wkhtmltopdf tool, suggesting it was generated programmatically to host the malicious link. No scripts were extracted from this sample.

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D1%87%D0%B8%D1%82+%D0%BD%D0%B0+%D0%BA%D0%BE%D0%BF%D0%B0%D1%82%D0%B5%D0%BB%D1%8C+%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD+cheat+engine+62&charset=utf-8
    • http://img1.liveinternet.ru/images/attach/c/7//4731/4731917_matematika__ot__treh_.pdf
    • http://img0.liveinternet.ru/images/attach/c/7//4732/4732168_nhl__07__psp_.pdf
    • http://img1.liveinternet.ru/images/attach/c/7//4731/4731237_skachat__moduy__dlya_.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005585e.bin
cafb278465b9a52d59032adbbbe6c8f548b3f8e3d8ad0aa979a34629bd03f488		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5585E 9104 bytes
font_01_sfnt_off00057133.bin
df96dbeed6d49c1e297df8c92e471253aeab2e3f9e8e2423c68d68cd32216e97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57133 15992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.