Malicious PDF — malware analysis report

Static analysis result for SHA-256 14a4288f2027d6d3…

MALICIOUS

PDF

92.9 KB Created: 2021-07-04 01:14:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: aafcbb4e856e6ca63a9c60f896425ff8 SHA-1: 40261e61d58fecdba67b06ee549e4b4fcbee48d9 SHA-256: 14a4288f2027d6d37a7f45f6512fde9d89940da5c363051028409670be7831f4
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document is flagged as malicious by ML classifiers and ClamAV, and exhibits characteristics of a phishing lure. The heuristic 'SE_SECRET_RECOVERY_LURE' indicates the document attempts to trick users into revealing recovery secrets or private keys. Numerous URLs are present, many pointing to compromised CMS uploads or disposable hosting, suggesting a link farm designed to redirect users to malicious content. No scripts were extracted, but the overall pattern suggests a phishing attempt to steal sensitive information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9924

Heuristics 7

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=react+native+generate+signed+apk
    • https://trungtammatnamviet.vn/upload/files/mogavitifowedalawuzemob.pdf
    • http://baheth24aqari.com/ckfinder/userfiles/files/wovidu.pdf
    • http://z500.si/files/64172354628.pdf
    • http://pericosrentcar.com.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160a58270df883---6385157914.pdf
    • https://grafitpoint.ru/wp-content/plugins/super-forms/uploads/php/files/7de8f2d5dca02d72ba4f4d025d010b72/93766733391.pdf
    • http://paintingservicesonline.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607960d01f00c---95934058225.pdf
    • http://wagnerfamilyreunion.com/clients/866685/File/pofilatasamoxopekefabu.pdf
    • http://happypalettebnb.com/CKEdit/upload/files/4509976893.pdf
    • https://www.verpoort-bouw.be/wp-content/plugins/formcraft/file-upload/server/content/files/160b89ccd305b8---7163222751.pdf
    • https://www.kiteschule-eckernfoerde.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b72f5402508---93524052462.pdf
    • http://blankheich.de/images/uploads/file/tedobajux.pdf
    • http://jnnycc.org/userfiles/file/somojomisot.pdf
    • http://chapelguild.com/images/usr/rororolazemetaki.pdf
    • http://lisahyatthealth.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609e7bd9796f5---59530143419.pdf
    • http://shinserviceodi.ru/wp-content/plugins/super-forms/uploads/php/files/1fcb2f1dbe3a1530518ac791e352f6eb/47099725574.pdf
    • http://clearlakesd.org/wp-content/plugins/formcraft/file-upload/server/content/files/160bede7054375---wapilosofutefol.pdf
    • http://mirrorgallery.com/wp-content/plugins/formcraft/file-upload/server/content/files/16098912622d21---49332043178.pdf
    • https://auf.vn/wp-content/plugins/super-forms/uploads/php/files/388oaqf41a7663pdrgnm6ev1i6/pomupibiwiloza.pdf
    • https://www.hospedeagora.com.br/wp-content/plugins/super-forms/uploads/php/files/oeiapdk5c9no0hc7avigv3tfte/vanagilifad.pdf
    • http://ecbpolska.pl/wp-content/plugins/super-forms/uploads/php/files/02bdfb355a568aca1150eb2c788acdfc/godamagi.pdf
    • https://beachesbrewing.com/wp-content/plugins/super-forms/uploads/php/files/bb399ac1988f7ee338cba9822dafe834/satumotapo.pdf
    • https://www.denisonlandscaping.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079593098563---pimono.pdf
    • http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/cc4d08384e8080b73981407605f92842/62556659858.pdf
    • https://elitteaccesorios.com/wp-content/plugins/super-forms/uploads/php/files/itmjupgr93qtoaf82lf39tsh58/balisukaxevotupek.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee03.bin
9aaf1b11365f693d0c42adba024054af5681fbacf9a8737f69f2b537ceadf3be		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE03 10728 bytes
font_01_sfnt_off0001069a.bin
3ca0120f50c06608a125973a8efc03a9959344d356cda74b8c611a65009940a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1069A 16652 bytes
font_02_sfnt_off00011d6a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D6A 16792 bytes
font_03_sfnt_off0001357c.bin
2020f930d4949b6b10c2e976cbf8a4fd905cf6030e91f60b1e40c49690edf3f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1357C 17672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.