Malicious PDF — malware analysis report

Static analysis result for SHA-256 15e832db6c8843e0…

MALICIOUS

PDF

82.5 KB Created: 2021-06-26 09:17:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 74d395e8c309a691fa91d28344da2094 SHA-1: 285412ee95ccce74c5baf96bfac4c1b7669f6cca SHA-256: 15e832db6c8843e003724b54670aad2421efb17fa00f805908fb729bddb3613b
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains heuristics indicating it is a link farm and potentially malicious, with a high ML classifier score and ClamAV detection. Notably, it includes an instruction to disable security software, which is unusual and high-risk. While no scripts were extracted, the presence of multiple external URLs and the security bypass instruction suggest an attempt to lure the user into downloading and executing a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9928

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kaptenhoki.info/contents//files/pegogogub.pdf
    • http://nek.ua/wp-content/plugins/formcraft/file-upload/server/content/files/160bce23f4c42f---wirew.pdf
    • https://mercedesmazo.es/wp-content/plugins/formcraft/file-upload/server/content/files/16091b5c897a85---56501362163.pdf
    • https://seataclightingalaska.com/wp-content/plugins/super-forms/uploads/php/files/7de4972e9b9f2adbaf7b01d6da99f22c/85653702532.pdf
    • https://abofahed.com/userfiles/file/vumosevon.pdf
    • https://lynnesnaturaltreats.com.au/wp-content/plugins/super-forms/uploads/php/files/504b3a850c772d1d3376b834e0181e75/tivowo.pdf
    • https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c4725e7dd85---lalazepivuvezojixuwuv.pdf
    • http://a2itsolutions.com/chop/multimedia/userfiles/file/lofupavifotejokixasaja.pdf
    • https://pankalconstructora.com/wp-content/plugins/formcraft/file-upload/server/content/files/160874c5b74a78---zopodabojuzetewagep.pdf
    • http://serdceprirody.ru/userfiles/file/kutijukekijonivamot.pdf
    • https://expungemyrecordnj.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c8330d6e4a---19461357656.pdf
    • https://qualitycountscleaning.com/wp-content/plugins/super-forms/uploads/php/files/6223fda46a3a0b719f72b3b939faf250/revinokejudaxokosa.pdf
    • http://uat.ideadunes.com/projects/ideadunes-portfolio-site/wp-content/plugins/formcraft/file-upload/server/content/files/1608a04eba837a---wijarajaxodenitax.pdf
    • https://www.hit-education.com/wp-content/plugins/super-forms/uploads/php/files/5664a5vp7j3e26um7mokl4jdvi/52514747293.pdf
    • https://t2sc.me/userfiles/rezik.pdf
    • http://www.jimenez-casquet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d6a37636e1f---sanofis.pdf
    • https://www.gml.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606e1d01c467e---soworapelovanenuk.pdf
    • http://www.cuadernos.in/wp-content/plugins/formcraft/file-upload/server/content/files/160ac0b912e737---xewiwepuwugure.pdf
    • http://sosnovgeo.ru/userfiles/file/zetotajulagotavawuzep.pdf
    • http://unioncentralreunion.com/clients/3/3a/3acd25563584ef55397927d4124196c4/File/75934725784.pdf
    • http://abogarestudio.com/userfiles/file/keravoserumivikukijibegux.pdf
    • https://pointsourcegroup.com/wp-content/plugins/super-forms/uploads/php/files/aaaf3a4966cba211927a1a7cba2f6ee7/rifezovom.pdf
    • http://www.gainerwindows.ca/wp-content/plugins/super-forms/uploads/php/files/9rv8pelpoj6ohc52a97o4pbui5/mawujise.pdf
    • http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a92dc78726---sewapidel.pdf
    • https://www.alarisusallc.com/wp-content/plugins/super-forms/uploads/php/files/0054af86d527cc61f8d343a612bcaaea/neziwuribosob.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=fortnite+skin+changer+free+download+pc
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c8a5.bin
cc2505ab83fbf33696acb0848b8e26c23af15f8386b2fcd27bfa33c9c60216c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC8A5 17180 bytes
font_01_sfnt_off0000f4dc.bin
72dd55403894d4b4622306d8e53457d72b134b3bf00c4f2ea670cc2f6870813f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF4DC 16152 bytes
font_02_sfnt_off00010a56.bin
1bfaa5aed253652e990d288d51be9b00188546cdd4c8a47922adbbab53fd879d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A56 11056 bytes
font_03_sfnt_off000123e4.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123E4 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.