Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe8c5bb12b1d9f50…

MALICIOUS

PDF

354.8 KB Created: 2015-08-19 14:03:56 +03:00 Authoring application: wkhtmltopdf 0.12.2.4 (via Qt 4.8.6)
MD5: e09c4b02fc137308a33b1451e84d7007 SHA-1: 5482e243861f95a8c18ce78d15238f762e3e3eca SHA-256: fe8c5bb12b1d9f50bebbb47d0234717852afca8b50086c7024112c796b24a15c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains an embedded link to 'botcraftman.ru', which is flagged as a known malicious redirector. This indicates the file's primary purpose is to lure users to a potentially harmful website. The ML classifier also strongly indicated maliciousness. No scripts were extracted, limiting further analysis of the payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9948

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://botcraftman.ru/?lip&keyword=%D1%81%D0%B2%D0%B8%D0%BD%D0%BA%D0%B0+%D0%BF%D0%B5%D0%BF%D0%BF%D0%B0+%D1%81%D0%BA%D0%B0%D1%87%D0%B0%D1%82%D1%8C+%D0%B1%D0%B5%D1%81%D0%BF%D0%BB%D0%B0%D1%82%D0%BD%D0%BE+%D0%BD%D0%B0+%D1%80%D1%83%D1%81%D1%81%D0%BA%D0%BE%D0%BC+%D1%8F%D0%B7%D1%8B%D0%BA%D0%B5&charset=utf-8
    • http://img0.liveinternet.ru/images/attach/c/6//4496/4496739_moguchie_reyndzheruy_yarost_dzhungley_skachat_torrent.pdf
    • http://img0.liveinternet.ru/images/attach/c/6//4626/4626607_skachat_kontakt_master_polnuyu_versiyu_dlya_vzloma.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000547e9.bin
27b539023e95fcdc145f2a674e9c32cd21729f009fcc35291cf27dfebea92ad7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x547E9 8076 bytes
font_01_sfnt_off00055f79.bin
54e1a78edea6c5078616f182f1bfd92e6c58b1a67963b59f9502d2eaeaa4b78a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55F79 13596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.