Malicious PDF — malware analysis report

Static analysis result for SHA-256 282713f5ba84058d…

MALICIOUS

PDF

88.6 KB Created: 2021-05-26 11:16:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-16
MD5: a82d68706f5c966ac151a9395b2dc5f2 SHA-1: 02dd00a70fa6d55641a4dd44af78cc9f7192bcd8 SHA-256: 282713f5ba84058db29fa78407adbc55708f66707575b74312aeb7478cd62e0d
194 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document exhibits characteristics of a phishing lure, presenting links that appear to offer game downloads but actually point to compromised CMS upload directories. The presence of multiple links on disposable hosting and the ML classifier's high confidence score indicate malicious intent. The ClamAV detection of 'Pdf.Phishing.Trojan' further supports this assessment, suggesting the document is designed to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8025

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1608bc15c7f7a1---fuzibofukozozovatala.pdf In PDF document text
    • http://www.onlinetemsilci.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607549adab22b---tikatew.pdfIn PDF document text
    • https://afanasyev-design.ru/wp-content/plugins/super-forms/uploads/php/files/ca13f95cac353edcd9a5c5c4ef95edf4/13947070208.pdfIn PDF document text
    • https://trichynext.com/wp-content/plugins/super-forms/uploads/php/files/25eb98ce4c1c8f3dd78cd76fc189acff/89518261746.pdfIn PDF document text
    • https://alphacleanwashing.com/wp-content/plugins/super-forms/uploads/php/files/efd990348902ade41d75ed7c95200e63/82114097977.pdfIn PDF document text
    • http://ngpsusa.com/wp-content/plugins/super-forms/uploads/php/files/k4c56d95roo9r06cl4i6daku7l/wikalirupuz.pdfIn PDF document text
    • https://www.simcoerecovery.net/wp-content/plugins/super-forms/uploads/php/files/195qtitfg4462esltmk8hk9jks/33639293255.pdfIn PDF document text
    • https://ivanamihic.com//files/powimesiweguzunonolax.pdfIn PDF document text
    • https://championsforchildren.org/wp-content/plugins/super-forms/uploads/php/files/cd82591ba65fef021250af671feae25d/61700028452.pdfIn PDF document text
    • http://applexin.com/ttpsea/files/file/69357820029.pdfIn PDF document text
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/jjnmi1a76otbh332bptimsc154/togika.pdfIn PDF document text
    • https://www.mercato.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160ab9fc707b19---34739347105.pdfIn PDF document text
    • https://aartipalette.com/userfiles/file/75667868209.pdfIn PDF document text
    • https://profbuhotchet.ru/wp-content/plugins/super-forms/uploads/php/files/ed52abd9e29ff051cf14fa0e733889d8/79608431425.pdfIn PDF document text
    • http://andlupa.com/userfiles/file/vejusasapepazifawo.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BkSY9tpko7c/uplcv?utm_term=descargar+pokemon+negro+2+en+espa%25C3%25B1ol+para+ndsPDF link annotation
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000129b8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x129B8 5800 bytes
SHA-256: 2dc3cccbdf6d81bccc5d0ba04ad6470c07a15ecb8fd8985d7d33c13600c258cd
font_01_sfnt_off00013d2b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13D2B 12576 bytes
SHA-256: c0d5eedf76cc4991a49e243f2eb861fcb8563402f40499d2c91da1a09936fdde