Malicious PDF — malware analysis report

Static analysis result for SHA-256 15115c5398da28bf…

MALICIOUS

PDF

167.1 KB Created: 2021-08-13 23:00:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 24a356b2a387a0a5057bf1f38f9ccc40 SHA-1: d701ae13ae128edc9e73d57f822d337786e932e7 SHA-256: 15115c5398da28bfd2723604bc20bfa1dc4116609207a9f9a881fb42ea5e0295
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF contains embedded JavaScript and numerous external links, many pointing to potentially compromised or disposable hosting, suggesting a phishing or malware distribution lure. The 'Password-protected archive handoff' heuristic indicates the document likely instructs the user to download an archive, which is then protected by a password provided within the document itself, a common tactic to bypass gateway security. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9966

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tao123.me/pro_pic/files/38252117666.pdf
    • http://mcelvain2020reunion.com/clients/b/b5/b5167212b805812c9439186484f80f5e/File/kunojalanuworodote.pdf
    • http://learningkey.org/userfiles/bifowiwekefutipodowosif.pdf
    • https://cleanenergy.mn/uploads/files/sorisoporinonixumipuv.pdf
    • https://www.onestopnaturalstore.ca/wp-content/plugins/super-forms/uploads/php/files/esed6151s3v2dd9uugeqal253v/pabowubazuk.pdf
    • http://msci.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/160f6396d428e3---20149104902.pdf
    • http://cabin4kids.org/clients/0/05/050cd0fff5f75fdfd14851583cc0de74/File/4306147432.pdf
    • http://gok-maciejowice.pl/js/ckfinder/userfiles/files/50647154589.pdf
    • http://provia-events.de/pics/fotos/1/file/94077226817.pdf
    • https://www.horisunmauritius.com/wp-content/plugins/super-forms/uploads/php/files/0002115062d6109856bcb8e69ceec03d/vodetufunogenenetoxikug.pdf
    • http://potentialdesign.cn/userfiles/file/1628077123.pdf
    • http://www.anclupnapoli.it/userfiles/file/32789399962.pdf
    • http://yournamebadges.com/withyourdog/cms_uploads/file/zutarinekogej.pdf
    • http://duhochmis.com/files/uploaded/files/36236786287.pdf
    • http://musikpark-live.de/userfiles/file/bironixozipikuvemikaniv.pdf
    • http://www.advokat.com/app/webroot/img/fck/file/79679643638.pdf
    • http://cgl.lu/userfiles/files/16041191082.pdf
    • http://cityhelps.org/clients/6/61/61afa7a028a8e04f14432b0fece6f2b0/File/xitema.pdf
    • http://xn--12cbg9dihj7egda2g6a7dceb1d2cp4nvgf4f.com/datas/files/tokipo.pdf
    • https://sancarspune.com/wp-content/plugins/super-forms/uploads/php/files/e7fbf3b3ed1f4bf030f89a31a90a8de4/9310864439.pdf
    • https://asiaviews.org/wp-content/plugins/super-forms/uploads/php/files/riaeh7jmhvf3gj2bbqg919a0e1/11709220694.pdf
    • https://pypconsultores.mx/userfiles/file/kuluwogesa.pdf
    • http://luckyassessoria.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/161046958cbf8e---xujodekanexajoxefibupinal.pdf
    • https://www.3dreamchurch.com/wp-content/plugins/super-forms/uploads/php/files/d35bd079f36516eee0c1caed72d51b1a/36100640742.pdf
    • http://www.onekaddy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606cb88145cb9---wotenefak.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=manual+moto+g6+plus+pdf+em+portugu%C3%AAs
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000225b0.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x225B0 16792 bytes
font_01_sfnt_off00023dc2.bin
7e83ce83a0c91a47a4d236887e5f7acdd73533b77fdc14f90bbed43aaacbf7e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23DC2 21208 bytes
font_02_sfnt_off0002725b.bin
d13cd55b2644b6aca2f4cff66ca3a6e590ef2e945f38d56d508e65954fb4a2d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2725B 11168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.