Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f5ad00bd1f1037c…

MALICIOUS

PDF

206.3 KB Created: 2021-08-02 22:46:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 2e3e338c30537844a865de95f2f25d26 SHA-1: c5bebb29fcd4a875f03245d0530b861597605698 SHA-256: 1f5ad00bd1f1037cc1c054059e944872493b78bc8beb11a32761f1e753cfef64
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged by multiple heuristics as malicious, including ML classification and ClamAV detection. It impersonates Apple and uses an urgency lure to prompt the user to click a link, which leads to a credential phishing site. The document contains embedded URLs pointing to compromised WordPress upload storage, suggesting it is part of a larger phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7619

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://infrive.ru/uplcv?utm_term=blaze+of+battle+cheats+2019.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=blaze+of+battle+cheats+2019 PDF link annotation
    • https://www.mnspineandsport.com/wp-content/plugins/super-forms/uploads/php/files/1d3df5313cb019c62158be1e325a6caf/gubifaze.pdfIn PDF document text
    • https://htfcompact.com/wp-content/plugins/super-forms/uploads/php/files/0dddbcd532414d9d9c279b05efdf158f/21156341104.pdfIn PDF document text
    • https://westcoastmovers.ca/wp-content/plugins/super-forms/uploads/php/files/kj5674vgk2sr637n1pg604nde5/nutaxozinewedu.pdfIn PDF document text
    • http://jessicarossitto.com/clients/7/7c/7c16b8c799dae9ffcd1258f31d6ff645/File/87900515527.pdfIn PDF document text
    • http://beiks.info/public/file/34491875912.pdfIn PDF document text
    • https://primax.fr/wp-content/plugins/super-forms/uploads/php/files/r3vu1k835o00e0lk1282rlv6f7/xujas.pdfIn PDF document text
    • http://argentum.com/wp-content/plugins/super-forms/uploads/php/files/ptng0ohh1pedoknubtmdlep70s/jajunibijir.pdfIn PDF document text
    • https://atkarisuli.hu/userfiles/file/46026156731.pdfIn PDF document text
    • https://abe-rdc.com/userfiles/file/xuxifuroveremafokisuxo.pdfIn PDF document text
    • https://cabsfromheathrow.com/userfiles/file/meredubaxadezose.pdfIn PDF document text
    • https://advicezone.org.uk/wp-content/plugins/super-forms/uploads/php/files/2jevdsthsuo43n87mq53vir1k0/24554307876.pdfIn PDF document text
    • https://o-dance.com/upload/files/30573966921.pdfIn PDF document text
    • http://www.kreasoft.mx/wp-content/plugins/formcraft/file-upload/server/content/files/16071f22cbfce9---80968821629.pdfIn PDF document text
    • http://akbmodel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b757a6f0689---detojuberalinebo.pdfIn PDF document text
    • http://thuexe7cho.vn/upload/files/zepelegosobewujo.pdfIn PDF document text
    • http://foire-fromages-et-vins.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a45ccc9761---xejoratodofip.pdfIn PDF document text
    • http://bogelaipigeon.com/upload/file/labadewesizinifebesejafu.pdfIn PDF document text
    • http://richmore.kr/uploadfile/fckeditor/file/jasefupakiwune.pdfIn PDF document text
    • http://verkoop-je-wagen.be/wp-content/plugins/formcraft/file-upload/server/content/files/16083f157c135a---dabajefugagovezew.pdfIn PDF document text
    • http://maxidmum.com/images/upload/fck/file/32252939530.pdfIn PDF document text
    • http://mko-yug.ru/wp-content/plugins/super-forms/uploads/php/files/0abf9b5f9479f93804b9081a1a00a337/21733204519.pdfIn PDF document text
    • http://luckyassessoria.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16095e8282e187---mimekepanakegapikufugudex.pdfIn PDF document text
    • https://premiumvipbusiness.com/wp-content/plugins/super-forms/uploads/php/files/ad2a03298a48a9da5642083d6f4f9caf/katirasufifekizo.pdfIn PDF document text
    • https://cananalimdar.com/wp-content/plugins/super-forms/uploads/php/files/oba2p10ogsj4bb17cu9ecqs2ir/goxotekunegipufiwaliw.pdfIn PDF document text
    • http://seamcc.com/UserFiles/files/67021935879.pdfIn PDF document text
    • http://chothuexehochiminh.com/userfiles/file/33592116789.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002c3c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2C3C9 19596 bytes
SHA-256: 0691e0f687e5beaefee4faf15501ea167bfd9615ee407d30bc29d4c1079821f5
font_01_sfnt_off0002f6aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F6AA 10852 bytes
SHA-256: 03cc9b300676cfdd136be7e831ea4e8e5005065d829c91596ba00716fb94dfbd
font_02_sfnt_off00031013.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x31013 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1