Malicious PDF — malware analysis report

Static analysis result for SHA-256 279f985a50e81515…

MALICIOUS

PDF

108.3 KB Created: 2021-06-28 18:01:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 276fc3060678e9815465b313077842b2 SHA-1: 6cb18e0864dfc5c18a444c360e7da22c84d3fc23 SHA-256: 279f985a50e815156c3c3d27c4f4be86d7f3e80e47c2c4db248f198936d3e48e
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as malicious by ML classifiers and ClamAV, and exhibits characteristics of a phishing lure. The critical heuristic 'SE_SECRET_RECOVERY_LURE' indicates the document attempts to trick users into revealing sensitive recovery information. Multiple URLs point to compromised CMS uploads and link farms, suggesting a distribution mechanism for this phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9756

Heuristics 7

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.chauffeur-prive-nice.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160938099c4da2---68996101345.pdf
    • http://4x4autok.hu/userfiles/files/nolikolakivifulaji.pdf
    • https://oknoplus-omsk.ru/wp-content/plugins/super-forms/uploads/php/files/57620aaf21cbe3befdc90068c2291fd1/61851799623.pdf
    • https://www.surajinformatics.com/wp-content/plugins/super-forms/uploads/php/files/b1e9184650adbf4b30860d44c1e7ab59/18727024245.pdf
    • https://oklogistic.lv/upload/file/22806720640.pdf
    • http://xn--42-6kcdlkbomh7beggito5p.xn--p1ai/userfiles/file/14682820437.pdf
    • http://thefjordbaklawfirm.com/clients/876731/File/99931041210.pdf
    • https://californiaoptionsrealestate.com/wp-content/plugins/super-forms/uploads/php/files/61b76647ab82edc759cec894715d0176/91215521738.pdf
    • https://addsfly.com/userfiles/file/gesiwituwotigifimop.pdf
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/tbbudf19tsid3ucs1sqj63u788/setemafazebezapegunete.pdf
    • http://vervesimuhub.com/userfiles/file/45810085691.pdf
    • https://bikinibody.be/wp-content/plugins/super-forms/uploads/php/files/et7a2ttkq0fihcfp0h523tcq25/12976604862.pdf
    • https://www.ezhealthcheck.com/wp-content/plugins/super-forms/uploads/php/files/v4ebm7c9gjj435iqae2639csbt/26239670044.pdf
    • https://smoothnomad.com/wp-content/plugins/super-forms/uploads/php/files/e9bd8vp7o70gjabnbdt8t0flbh/98936423454.pdf
    • http://www.minaakshimajumdar.com/fckimages/file/jenuvika.pdf
    • https://rcot.org/userfiles/file/89415536138.pdf
    • http://www.microsinusectomi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f659fe0fb5---35526160069.pdf
    • https://www.thecandystoresudbury.com/wp-content/plugins/super-forms/uploads/php/files/v3lcmcl6ue8bu9dn7dv61c76lu/zogudupediwokagumadov.pdf
    • http://industrialdevices.in/uploads/73224512824.pdf
    • https://flardochform.se/userfiles/file/nafox.pdf
    • https://areshin.ru/wp-content/plugins/super-forms/uploads/php/files/6c2fa025dbdacdcf401d8f011b1282c4/99219077779.pdf
    • http://www.naturapreserved.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078d628841d5---xiwuponesek.pdf
    • https://autotronics.vn/userfiles/file/7807877774.pdf
    • http://www.deco-interieure.com/userfiles/file/8962840640.pdf
    • https://chefinhogourmet.com/wp-content/plugins/super-forms/uploads/php/files/25814e6f25e769636796d6e312b3481b/83553299378.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/GLLx1DTH0VQ/uplcv?utm_term=systems+of+equations+maze
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011b32.bin
bc4a150e7c4b55a481a625c6079c2d983a7d377d36f53a72651cac2dc258d9fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B32 10724 bytes
font_01_sfnt_off000133e7.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133E7 16792 bytes
font_02_sfnt_off00014bf9.bin
1989a8632edb89fe74ab4338bde971bae012d9154cf94e71321d1f01bb1ff4d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14BF9 20764 bytes
font_03_sfnt_off000181fd.bin
4cebf953690beeea976ff9c5823088164331864bd56f679addbd64069630c0c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x181FD 2948 bytes
font_04_sfnt_off00018e05.bin
6d636ebcb28a43c11a0b96216d988d0aaa25e428b847d4e039b2a2a6b6e27b6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18E05 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.