Malicious PDF — malware analysis report

Static analysis result for SHA-256 282d1be5c2de7648…

MALICIOUS

PDF

247.8 KB Created: 2021-06-25 10:02:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f8f150e6baec7fd431a069ab80fcdcc6 SHA-1: 3498b779215280fe41037da1493e6adca0c3bb2c SHA-256: 282d1be5c2de764856f9dce168cc005d056aadc5202fca86079e280b6398d058
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links pointing to compromised WordPress sites, specifically targeting file upload functionalities. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution. Although no scripts were directly extracted, the PDF structure and embedded URLs suggest it's designed to redirect the user to download a secondary malicious file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8304

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dirabrealtors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ade9ac9e7f9---simenozoniva.pdf
    • http://xn--om2b25zm6igqb.com/ckupload/files/mepigig.pdf
    • http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/160984d5886ddc---wajonefumigifosasixa.pdf
    • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/kq1t5du9f73flg18lm87ame531/rugedexutagobobadilo.pdf
    • http://www.inhd.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16099575f812ea---fenupuvudovinuxaz.pdf
    • https://ahi.com.ua/wp-content/plugins/super-forms/uploads/php/files/8b4716095f522a1ec14c1650a57600b8/nujopupogudedava.pdf
    • http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16099814973b83---faten.pdf
    • https://ensasoft.com.tr/wp-content/plugins/super-forms/uploads/php/files/fspq0atobklkdqb12g9ernn8df/xidobulutamopabevufage.pdf
    • http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607828224c3d4---78959020746.pdf
    • http://exactblue.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d712fdb336---68180800625.pdf
    • http://www.agrosystem.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160bbc312d4679---tebinadazewu.pdf
    • https://tucsonhomewindowtint.com/wp-content/plugins/super-forms/uploads/php/files/4b84600e376a08340aba8073640dc6a7/55911501042.pdf
    • https://weinquartier.at/wp-content/plugins/super-forms/uploads/php/files/fb437842648c08f923a90b3f62dc8652/sumuboraropurusewes.pdf
    • https://www.chartsunlimited.com.ph/wp-content/plugins/formcraft/file-upload/server/content/files/160afe30bda828---38695934484.pdf
    • https://oknoplus-omsk.ru/wp-content/plugins/super-forms/uploads/php/files/8ff86b40f08d122ae2f1c3638568e276/20406069602.pdf
    • https://pointsourcegroup.com/wp-content/plugins/super-forms/uploads/php/files/ffe919cbf44907fa05b355db68aadeeb/53591689419.pdf
    • http://fedorahosted.org/lohit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/6naE_Nh8_CY/uplcv?utm_term=sambhaji+maharaj+images+download
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.geocities.com/mitra_anirban/hobbies.htmGNU
    • http://www.gnu.org/copyleft/gpl.htmRegular
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00035fb3.bin
df5f6358be10cbab5811b13ccbc66569443ef7f56d28340d18a04a28b753d876		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35FB3 32264 bytes
font_00_sfnt_off0002eee4.bin
d436fc2ecd51c86a311959902ea1791064013a910fad17612eb4be024f951c4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EEE4 5648 bytes
font_01_sfnt_off000301f6.bin
b850e935aaf604f3e1824861b6c46746957ce6d0e1401f4bf16d070b42224529		 pdf-font-stream PDF embedded font (sfnt) at offset 0x301F6 3772 bytes
font_02_sfnt_off00030d92.bin
ad1d6c152cb355eafac29643dd5068bbffaa181304bb887627258a98ae35742d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30D92 5520 bytes
font_03_sfnt_off00031cc0.bin
55836b00bd248d787e3fee09835c4527925baa5d10811f99a8de5c3df6302afc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31CC0 12388 bytes
font_04_sfnt_off000346c1.bin
b320db5ed5432e78f88eaa6afbb65ddac7d1877f530d428bd1cd88a3d73f304e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x346C1 17388 bytes
font_06_sfnt_off0003b5dc.bin
551918360585b1590efa6fd2a215345b2f702067d151a0e4b48cfa7490b57960		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B5DC 1736 bytes
font_07_sfnt_off0003bd21.bin
1661b5cb7b173fb12b5c3e5bcbb377521dad699b7e8a91a82efa70880195ec37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BD21 6296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.