Malicious PDF — malware analysis report

Static analysis result for SHA-256 019f30675ef7c406…

MALICIOUS

PDF

74.9 KB Created: 2021-09-07 03:52:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 922878e3d4469eb1dc80582d9f104a11 SHA-1: c055c0586157e2e6e85debcaa480b2d7ee2355aa SHA-256: 019f30675ef7c40680bf283577f381356a11f7632e75565ca35cc05d98fc5a60
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document was detected as malicious by ClamAV and ML classifiers, indicating a phishing and potential trojan threat. The heuristics suggest it functions as a link farm, directing users to compromised WordPress uploads and disposable hosting sites. The 'SE_BROWSER_INSTALL_LURE' heuristic indicates the document's primary goal is to trick the user into installing a fake browser extension or update, a common tactic for malware delivery or credential theft.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/16094b10817888---lozupawanopudaga.pdf In PDF document text
    • http://sunrui-ti.com/d/files/dufanidaxode.pdfIn PDF document text
    • http://akcjonariusz.com/UserFiles/file/42578290336.pdfIn PDF document text
    • http://sklepjola.pl/userfiles/file/1417871723.pdfIn PDF document text
    • http://mopron.ru/upload/files/47000594976.pdfIn PDF document text
    • http://ajivikafinance.com/userfiles/file/labevobegelesilugulu.pdfIn PDF document text
    • https://askopenko.com/wp-content/plugins/super-forms/uploads/php/files/de823239044d6557f840f80e3083a903/bimajuxibebulen.pdfIn PDF document text
    • https://monyetmesum.com/contents//files/vijaza.pdfIn PDF document text
    • http://aimic.com/userfiles/file/ninekuni.pdfIn PDF document text
    • https://ecohort.info/userfiles/files/vezusomufet.pdfIn PDF document text
    • https://sieseam.org/userfiles/files/79373068572.pdfIn PDF document text
    • http://radissonhoteltraining.com/userfiles/file/xebagetovajikijepebudujun.pdfIn PDF document text
    • https://austarpharma.com/upload/files/numatasal.pdfIn PDF document text
    • http://asiancfea.org/userfiles/file/jurepofuzijomixuwabel.pdfIn PDF document text
    • https://evg-prague.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160b2e8ec32bbf---5963572948.pdfIn PDF document text
    • https://volnynaklad.cz/data/file/zajosepa.pdfIn PDF document text
    • https://www.shopveriamici.com/wp-content/plugins/super-forms/uploads/php/files/6i0627e46rjjmmgj9rvtc3rctl/zafivesazapipimakuvun.pdfIn PDF document text
    • https://globalazeri.az/wp-content/plugins/super-forms/uploads/php/files/1lb645l01taer7e9ssqeqmmpv0/jexatefun.pdfIn PDF document text
    • http://skolicka.eu/foto/images/file/lasipovuloji.pdfIn PDF document text
    • https://victorybear-info.com/userfiles/files/61391990444.pdfIn PDF document text
    • http://bochosushi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7904cc88db---senesuvinovadebapexoseje.pdfIn PDF document text
    • http://mauchlineware.com/html/chapelstreet/web/userfiles/files/pasera.pdfIn PDF document text
    • https://sy-tech.eu/file/31714392978.pdfIn PDF document text
    • http://sva-jeanroze.com/xmedia/file/latadotaf.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=multivariable+calculus+8th+edition+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c13f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC13F 16348 bytes
SHA-256: ef10df370872cd8eeb1b9c942e6728a3c7ca73b8d93ecb8036cce0cdea89ab4e
font_01_sfnt_off0000eb47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB47 11224 bytes
SHA-256: b62e61db3d98c7b9a3e4912f885e7e8ecb4cfae31fc5c00e3f8ca86fbc4ec214
font_02_sfnt_off0001055c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1055C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1