Malicious PDF — malware analysis report

Static analysis result for SHA-256 0848f01f32ad07ee…

MALICIOUS

PDF

90.4 KB Created: 2021-08-05 01:38:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 1095c73a6607b3ee67c89817075aa0b1 SHA-1: 5e2e287ef65d8bc21e893ce25928650aeed75bcd SHA-256: 0848f01f32ad07ee736fb5194d1e26b410f6dddcdb37b18737b654f1b5079559
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to multiple disposable hosting sites, with one URL specifically mentioning 'pokemon go hack android apk download'. This suggests a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to trick users into downloading unwanted software.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/uplcv?utm_term=pokemon+go+hack+android+2019+apk+download+%28unlimited+money%29 PDF link annotation
    • https://musikkursus.dk/userfiles/file/sivikuk.pdfIn PDF document text
    • https://www.andyselfstorage.co.uk/wp-content/plugins/super-forms/uploads/php/files/aui129alhk6qinuc0m6triodfs/tifawur.pdfIn PDF document text
    • https://fjordancv.info/wp-content/plugins/super-forms/uploads/php/files/2f0c70ad552d41f9f21d5aae5b9b0219/nisivopaxemibugewux.pdfIn PDF document text
    • http://gf-location.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1609e8a52a6dbd---gakezitekumilezumijib.pdfIn PDF document text
    • https://zazilha.com.mx/wp-content/plugins/super-forms/uploads/php/files/076fa543943b6d14f2647a6dca43c70d/70609501193.pdfIn PDF document text
    • https://nnkcreations.com/userfiles/file/82637721514.pdfIn PDF document text
    • http://www.trimbleexpress.sk/wp-content/plugins/formcraft/file-upload/server/content/files/160c949a2ee14c---jizigodiwifafoxare.pdfIn PDF document text
    • http://jiuxingchaoshi.com/uploads/file/261325411189.pdfIn PDF document text
    • https://drmiamiconnect.com/wp-content/plugins/super-forms/uploads/php/files/52e94a63cec9e5779dc25a3c5b11f51c/vebekovarawa.pdfIn PDF document text
    • https://kingwrapcarspa.com/upload/files/14527798086.pdfIn PDF document text
    • https://lerong.vn/wp-content/plugins/super-forms/uploads/php/files/113468540163da4ecb28ffa864e50ee5/vutupa.pdfIn PDF document text
    • https://mygamedaysports.com/wp-content/plugins/super-forms/uploads/php/files/0314e50ea20c676d6a03ba2221f4fbc3/79316558216.pdfIn PDF document text
    • http://aaaexpressheating.com/userfiles/file/kojop.pdfIn PDF document text
    • http://daindnc.com/fckeditor/userfiles/file/53085067553.pdfIn PDF document text
    • http://tjsijiqing.com/ckfinder/userfiles/files/2021/0606/911f59b4008343b206581f6d9f4a29be.pdfIn PDF document text
    • http://montaze.org/democms/userfiles/file/97631354012.pdfIn PDF document text
    • http://aucoindeshalles.com/menu/file/7827966998.pdfIn PDF document text
    • https://debcopharma.com/userfiles/file/lunozekafo.pdfIn PDF document text
    • https://amd-export.com/site/upload/file/24071067535.pdfIn PDF document text
    • http://relocationservicesgroup.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fee22d8377---10758629667.pdfIn PDF document text
    • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/e7328951eb4154a8ecc4065ffe8fe7aa/52826395158.pdfIn PDF document text
    • http://actlogistic.vn/upload/editor/files/26527761617.pdfIn PDF document text
    • https://landlorddebtadvisory.com/wp-content/plugins/super-forms/uploads/php/files/rj4smrd2o6g76djse8417at8j4/88942923569.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f71e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF71E 11804 bytes
SHA-256: dfc140d27ed86bfc7f27fcf3a313c1598e97d89e6dc81effd6b708a39073be05
font_01_sfnt_off00011335.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11335 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00012b47.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12B47 17736 bytes
SHA-256: acbe4ca3fca11429a5d8d161eef1633c3d2025af775f70fffe1dc5dafe858c32