Malicious PDF — malware analysis report

Static analysis result for SHA-256 28298725766e889e…

MALICIOUS

PDF

91.4 KB Created: 2021-06-14 02:08:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 053551f3c031a3db931d97e6221c6032 SHA-1: e9c7926351460b01dd0c684bb9be40cfd4fc8e84 SHA-256: 28298725766e889ed1e547f4955b4b5b46791d6d0760becbb68495ea29641023
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ML classifiers and ClamAV, indicating a phishing or trojan payload. It contains numerous links to compromised websites, suggesting a link farm used to distribute malware or redirect users to malicious content. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/uplcv?utm_term=mw3+spec+ops+mod+menu+ps3
    • http://chonburi33.com/userfiles/file/67036935700.pdf
    • http://www.jamesbgriffinlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608bc94c5c6a0---jakorapegepawesulenil.pdf
    • https://viajespereira.com/wp-content/plugins/formcraft/file-upload/server/content/files/160845a0c204c3---duloxede.pdf
    • https://areicon.com/images/file/pekokirunotewe.pdf
    • https://www.myosiaffiliate.com/199trust/img/file/dodejiwezuwapixaza.pdf
    • https://healthmatters.me/userfiles/file/gudekojoduzotaw.pdf
    • http://hattrick-sports.com/wp-content/plugins/formcraft/file-upload/server/content/files/160760418b6882---zafuki.pdf
    • https://jaunimodienos.lt/wp-content/plugins/super-forms/uploads/php/files/jb6tlkfbmt5g7hnfik9qv5jjc6/12656008421.pdf
    • https://tavio.ru/files/file/manivijilexabumusexinoxon.pdf
    • https://championsforchildren.org/wp-content/plugins/super-forms/uploads/php/files/ded71b9bb62934c9b19b619e1b41debd/xokatifib.pdf
    • https://www.ideaklinik.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1607e7f3a3d071---22149830574.pdf
    • http://duancanhotot.com/upload/files/futimagopubeveg.pdf
    • https://whiteplacard.com/UserFiles/file/15675739820.pdf
    • https://atl-50.com/files/file/39621874583.pdf
    • http://www.festivalmarrakech.info/wp-content/plugins/formcraft/file-upload/server/content/files/16075bf3ad5ea8---wajotumoxo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001221d.bin
78e86be6a6e6f8f0d95efd4cc449a57f6834706a5a962d737fd34e2a6888f6d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1221D 5140 bytes
font_01_sfnt_off000133ab.bin
c4129acc8dc5766180cd877f60c96c07a13c7b97e7bc9c797dd0a2e662f74995		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133AB 13628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.