Malicious PDF — malware analysis report

Static analysis result for SHA-256 19a9ab5c95188171…

MALICIOUS

PDF

80.4 KB Created: 2021-05-10 18:30:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 99d4681b82ddc5eb4dfeb01f4e657e93 SHA-1: 9228e282561a559e57b1e8f40ff428a1553b3dbb SHA-256: 19a9ab5c95188171b92f186a35ac7a4bf5f2cc63c73598227666c7ddac8bd7b8
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. The presence of multiple links pointing to compromised WordPress upload directories suggests an attempt to host and distribute malicious files. While no scripts were directly extracted, the PDF structure and heuristic firings strongly suggest it's designed to trick users into downloading further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://aawyx.com/sites/default/imageuser/file/xuvejoxiraburet.pdf
    • http://www.iso-clean.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1606d5f7d95bb8---sariforirelubaxa.pdf
    • https://marciasmithconsulting.com/wp-content/plugins/super-forms/uploads/php/files/3d0c7cab08d97ac706f7b1beda535487/kumamenovij.pdf
    • http://www.majoriscambio.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1608c2f511cdda---wejufidadiki.pdf
    • https://www.llgnjinc.com/wp-content/plugins/super-forms/uploads/php/files/541a1e6bac7a2352d0c172b531efd345/kenaduzudifixebuwopodexe.pdf
    • https://www.hagensmarketing.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607488a32be5f---tonitojepexigujag.pdf
    • https://cananalimdar.com/wp-content/plugins/super-forms/uploads/php/files/e3cmsvfacnulst4beb2ga314lg/sakaxetejepijemifimub.pdf
    • http://ranaghatpchsschool.org/userfiles/file/kuxadowivemo.pdf
    • http://lalitas-thaimassage-spa.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607147814401e---72816607597.pdf
    • https://doellefjelde-mussemarked.dk/images/newsmail/file/nagekipukuwulis.pdf
    • https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607abfdfe821c---sukivoza.pdf
    • https://hondamienbac.vn/userfiles/file/penuvizojajutugubovakatuj.pdf
    • http://www.alfainstal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16083efcea7ead---57493409856.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=basanta+bilap+full+movie++720p
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cde8.bin
f623763e8f341dd2671d2e5b6eb642844c581a62fe600e0db3e6bb247fdc454f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCDE8 3456 bytes
font_01_sfnt_off0000da66.bin
ee6c67b9b7b1b66e31c24657012aa8513d0f37889f093732fe831e02fdcad61f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDA66 5552 bytes
font_02_sfnt_off0000ed43.bin
90b772c07966fd6dba30c66079cede8491f6efaa8dc21d4d2956ffbe0d1a3064		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED43 4132 bytes
font_03_sfnt_off0000fa75.bin
ca0686daaae51373123c3118443ffbf40f7f6896bcfc2cce6775ed26843701bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA75 10344 bytes
font_04_sfnt_off00011e1b.bin
b1112a07effb8ee6ea0dcf0c3651e349b71c8ae3cf519bef323925ca549167ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E1B 16288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.