Malicious PDF — malware analysis report

Static analysis result for SHA-256 28ca8ae27bcbb318…

MALICIOUS

PDF

86.2 KB Created: 2021-08-31 15:23:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: e5025b45308a94bb964761ffeac76d85 SHA-1: d20d96d27319e2132f1fd8e5690d0083204543ca SHA-256: 28ca8ae27bcbb31805c1baf5b5a9efff86e0d69333c08033a6fc093285649592
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links to external websites, many of which are hosted on compromised or disposable domains, suggesting a link farm or phishing lure. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs are consistent with a phishing campaign aiming to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9911

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://iaestedresden.de/userfiles/file/22570608820.pdf
    • https://tavio.ru/files/file/lifosipolivasedide.pdf
    • https://media-get.com/userfiles/files/25499446267.pdf
    • https://mangonebike.com/uploads/file/nesolibewujogijesaseranat.pdf
    • http://kliknetezde.cz/admin/obrazky/file/zusepevejixizesusami.pdf
    • http://tianlanip.com/filespath/files/20210814012210.pdf
    • https://alternativecarrepair.com/userfiles/file/55704984813.pdf
    • http://thegioichuyendong.info/app/webroot/upload/files/93605384335.pdf
    • https://www.asahinadigital.com/wp-content/plugins/super-forms/uploads/php/files/57eui07ns8mbt3uu9e1j9vc4s8/65873034679.pdf
    • http://langeline.com/ckeditor/upload/files/77613127842.pdf
    • http://www.mmalappeenranta.com/tiedostot/files/27364662223.pdf
    • http://wine-paraphernalia.com/files/winep/_repo/file/tofekuvevow.pdf
    • http://vom-ragnaroek.de/uploads/file/vujuworeki.pdf
    • https://rybczewice.pl/userfiles/file/voxina.pdf
    • https://webhostmurah.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ba45934cc5e---16562824373.pdf
    • https://xn----8sbaavnccwq4am.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/ae05889c12db415428e91ce6060f6699/vufugimowopotutonasobadu.pdf
    • http://nppmaudaha.in/ckfinder/userfiles/files/16365112873.pdf
    • http://cameronhaddock.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c90b029989---sajefimilavawa.pdf
    • http://cameronhaddock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be76e1ee6ba---22926746162.pdf
    • http://dodogs.ru/sites/default/files/file/15366738094.pdf
    • http://www.thelawchamber.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0aea4139b6---gumewowonub.pdf
    • https://christianboudreau.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ad7f0e25f80---dezufoxixiwufutedeladug.pdf
    • http://nuyewpilot.academy/wp-content/plugins/super-forms/uploads/php/files/56a3329e6d68d2b60b132c6f39e10edb/namekagadanesuja.pdf
    • https://marblobathware.ph/app/webroot/img/files/notosixetipavexevixefozo.pdf
    • https://camile.vn/wp-content/plugins/super-forms/uploads/php/files/1stolresbucslmn5mq49uk7hg2/pilul.pdf
    • https://nilsagame.com/calisma2/files/uploads/16226722825.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/6naE_Nh8_CY/uplcv?utm_term=retail+banking+products+pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4b3.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4B3 16792 bytes
font_01_sfnt_off0000fcca.bin
e72d78dad2b295887029053f635e0213d6a114b864f4fe8642efac4cf5ba34c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCCA 11172 bytes
font_02_sfnt_off00011697.bin
6db7a6db3e40b4f3e188f53aed463a6cd76b9301e5f14b983871807cb4dc8617		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11697 19144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.