Malicious PDF — malware analysis report

Static analysis result for SHA-256 0aac280b031a8faa…

MALICIOUS

PDF

60.8 KB Created: 2021-06-10 11:28:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 603d47b865d45061d3c95009c39ee74d SHA-1: 56e461b932f7dbcbc96aa35e431b780d66337d7e SHA-256: 0aac280b031a8faa00ad22a8767852156ee6654598a6ae6a678f3fec3b170adb
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing lure. It contains numerous links to external sites, many hosted on compromised WordPress installations, which likely serve as part of a link farm to distribute the malicious content. The document body, though heavily obfuscated, contains references to 'free robux lotto mod apk', suggesting a scam or phishing attempt to entice users to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9420

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=free+robux+lotto+mod+apk PDF link annotation
    • https://www.mclarenpress.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099f9a22e892---74203363555.pdfIn PDF document text
    • https://2greenchicks.com/wp-content/plugins/super-forms/uploads/php/files/9ec19e1a9ca1e64788b1fbc661ebea87/47132977412.pdfIn PDF document text
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a74a838b806.pdfIn PDF document text
    • https://fatheragneliti.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098a59a6f925---86787614904.pdfIn PDF document text
    • http://bamt.be/wp-content/plugins/formcraft/file-upload/server/content/files/160872f8e25565---latepim.pdfIn PDF document text
    • http://www.luminicaambiental.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b618bee1b41---86867563922.pdfIn PDF document text
    • https://www.visitrwanda.com/wp-content/plugins/super-forms/uploads/php/files/d27020a8b1ccd75aaa1cb03ed19d2d9c/tipedamelubikadosobi.pdfIn PDF document text
    • http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a28608334a0---16279996427.pdfIn PDF document text
    • http://animationcoach.com/userfiles/file/tibaxenuxibunu.pdfIn PDF document text
    • https://www.alongsideasia.com/wp-content/plugins/super-forms/uploads/php/files/3bed6ac8b7ee00922154547c346eae4c/fuzara.pdfIn PDF document text
    • https://www.guestquesttravelmedia.com/wp-content/plugins/super-forms/uploads/php/files/reipjsm76hnmi1i29mo999b6r0/16240639535.pdfIn PDF document text
    • https://www.bountyvacation.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e5fd0d09ca---piwukeburi.pdfIn PDF document text
    • https://alexandrapanayotou.com/web/images/static/file/92628207993.pdfIn PDF document text
    • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/b1965fa73bcab5eab9e6a349a74d759f/migowepomorevebevugeboj.pdfIn PDF document text
    • https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/16090290ddd1fa---gugetugolalifu.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c712.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC712 2960 bytes
SHA-256: 4c688c0676da4c9c3f1d636d29496b85ed1f90b4285ee9b780884cc7de0e34ac
font_01_sfnt_off0000d182.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD182 4884 bytes
SHA-256: ba47e9e9acc47bbf61481d205b3cef59512e52e785b80062fd24b7eacdf4a783