Malicious PDF — malware analysis report

Static analysis result for SHA-256 28afe7792f38b3a6…

MALICIOUS

PDF

65.9 KB Created: 2021-05-24 02:47:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 46caf53fd7d5194513a02dac7a3d38d3 SHA-1: b1011059ddf965648730bd0aa53b6ff04f5c7109 SHA-256: 28afe7792f38b3a61a94bce7c02d5948743f0ee3e113ef5f3cf2c35404f56824
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous links to external websites, many of which are hosted on compromised CMS upload directories, suggesting a link farm or phishing attempt. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, contains keywords related to psychological assessment, likely serving as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9112

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://auf.vn/wp-content/plugins/super-forms/uploads/php/files/se8ru2l5mahf5vlnjarmg4nfl0/43383839943.pdf
    • https://esteticarcare.com/wp-content/plugins/super-forms/uploads/php/files/2a974683f5a0ecc345590b0a6c35152d/dilowonigafanapibumuko.pdf
    • http://archinfo.ru/uploads/file/garitazususani.pdf
    • http://drstevealbrecht.com/wp-content/plugins/super-forms/uploads/php/files/4ddcce6729b70a844fb043531739ac36/fujemodun.pdf
    • https://chicagoportablexray.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076161e44b90---60736240636.pdf
    • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087805f84829---vetowaret.pdf
    • http://cohn-vossen.com/wp-content/plugins/formcraft/file-upload/server/content/files/160850bc0a9e55---talaxijokifekaxejodanako.pdf
    • https://buddingheights.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606ce800868d7---jotuviditumurugiv.pdf
    • http://aihyang.com/userfiles/file/dufoninepezexofodutod.pdf
    • https://gmonlinestore.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d2537b2c05---folukotodofovunorara.pdf
    • http://finsura-lifedirect.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16094a2abd6b54---49617770355.pdf
    • http://jamoncup.es/wp-content/plugins/formcraft/file-upload/server/content/files/1607d6e1046163---72555465674.pdf
    • https://asaptransfers.co.uk/wp-content/plugins/super-forms/uploads/php/files/rlcl8m3s28sd97cb55jm9u83v5/37370827946.pdf
    • https://www.schroedersales.com/wp-content/plugins/super-forms/uploads/php/files/10ac175f4aa82b6203454830a8da2424/xopatugifevokeleka.pdf
    • https://www.adler-leitishofen.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607a3619338d3---fudoledatonufekinugedu.pdf
    • http://cohn-vossen.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3090e5b798---62936385609.pdf
    • http://nuyewpilot.academy/wp-content/plugins/super-forms/uploads/php/files/994b2d13b89ef34d8e477f41a60cd4a4/rinazujuravup.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=psychological+assessment+kaplan+and+saccuzzo+pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d153.bin
bc9384432bc10cf5037b9cb7aad65dd154e875e14ca01a4b572b8a855342f942		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD153 5688 bytes
font_01_sfnt_off0000e4a8.bin
17dc343365d2499226f38000e3e910e78069f577fad86f345f2f0f5b81e287b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4A8 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.