Malicious PDF — malware analysis report

Static analysis result for SHA-256 f80e412c7d1f6053…

MALICIOUS

PDF

380.8 KB Created: 2015-08-19 12:02:15 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: a1ef8ec26079b07a1de40bab82b02223 SHA-1: 6cd39811c1e2e98bca4bcf78b2d0a8019409a77f SHA-256: f80e412c7d1f6053aa447adca10c9a5f7282ed0ec0a45448b413c37cb602c669
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document was flagged by a critical heuristic for linking to known malicious redirector infrastructure. The embedded URL, http://botcraftman.ru/..., is likely part of a phishing or malware distribution chain. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D0%9C%D0%B5%D1%82%D1%80%D0%BE+2035+%D0%BA%D0%BD%D0%B8%D0%B3%D0%B0+%D1%87%D0%B8%D1%82%D0%B0%D1%82%D1%8C+%D0%BE%D0%BD%D0%BB%D0%B0%D0%B9%D0%BD&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4496/4496739_moguchie_reyndzheruy_yarost_dzhungley_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626456_skachat_key_root_master_na_android.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4496/4496730_oleg_roy_zhenschina_i_muzhchina_skachat_besplatno_fb2.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005a63c.bin
99e3edd7092c8a6365c2ac0c5a543ae7ef950c95a318ce77b048963550b7f542		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A63C 8772 bytes
font_01_sfnt_off0005bf9e.bin
226fb6cab03db6f2dfffc659e5c91176033c0360f07650e5271e618b7c412902		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BF9E 16996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.