Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ae5d0ecc05902eb…

MALICIOUS

PDF

89.7 KB Created: 2021-08-20 13:15:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 32b531a78101d603c1cf5ead344a8096 SHA-1: c5f89a9c049d36c71d45d1eb218a152e141bcf4a SHA-256: 2ae5d0ecc05902eb7ee3b953daa631ab37a44306a3202602831a27c9a6c04019
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, exhibiting characteristics of a phishing or trojan delivery mechanism. It contains a link farm pointing to compromised WordPress sites and other disposable hosting, likely intended to redirect users to download a second-stage payload. The presence of a 'Password-protected archive lure' heuristic suggests the user is instructed to obtain a password to decrypt the actual malware, a common tactic to bypass initial security scans.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9905

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=jugar+age+of+empires+2+online+hamachi
    • https://alismobile.co.uk/wp-content/plugins/super-forms/uploads/php/files/ffcb108a91eb73dc4729e1fec9fadc2c/95580890469.pdf
    • http://immobilieninvestors.de/userfiles/file/sizojoradubivabaxizuv.pdf
    • https://vandolderskb.com/images/usr/6142797979.pdf
    • http://artside.org/data/temp/file/69874106023.pdf
    • https://optimustelecoms.com/ckfinder/userfiles/files/99183228978.pdf
    • https://www.geosuiteonline.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b9c4a7329a1---20151255033.pdf
    • https://m-co.de/wp-content/plugins/super-forms/uploads/php/files/mb89bnb6j6cqjbnnj8ul3f5o2r/49738575296.pdf
    • http://attlas.center/userfiles/file/vazogele.pdf
    • http://nutronicltd.com/userfiles/file/peraketumakozizesivitesas.pdf
    • http://milwaukee.center/userfiles/file/75870727312.pdf
    • https://jamiatulbanat.in/wp-content/plugins/formcraft/file-upload/server/content/files/16073750889f74---pixelofegesafefuta.pdf
    • https://cmflower-kkc.com/ckfinder/userfiles/files/18350904681.pdf
    • https://ateneoarbonaida.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a38d90eb10b---72290153446.pdf
    • https://trichynext.com/wp-content/plugins/super-forms/uploads/php/files/d0ff9be7e5653131bc3164ce0386d935/gutasewosizodobamusubexe.pdf
    • https://hoavily.com/uploads/files/kalog.pdf
    • http://hogan1973.com/clients/d/d4/d4eda5e2427b34f3a15374adde9a77da/File/fademixizusikijilela.pdf
    • http://balogmihaly.hu/UserFiles/file/31580409168.pdf
    • http://magnumprint.ru/upload/files/38303375627.pdf
    • http://beerskiboot.de/img/upload/file/guxum.pdf
    • http://kondicionery-dolgoprudny.ru/upload_picture/file/tototosijekad.pdf
    • https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160edee7aaf704---48526373193.pdf
    • https://pluviaterra.mx/wp-content/plugins/super-forms/uploads/php/files/ee9526287f64f61f0949aa49daff3428/91248284026.pdf
    • https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/161123f3dc69e7---68587862630.pdf
    • https://evocative.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160cb0b271c459---wowafa.pdf
    • http://naturallabs.de/userfiles/file/baziwip.pdf
    • http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607897ead166a---pexunuzuzijepunokuk.pdf
    • http://kioskcondoweb.wpengine.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c89975e02d7---wodunitijotabesejiwapim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f5ba.bin
6e2e1aea27d3664768e3a98440de18231035a977d30df6a17aa1e5323c310631		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF5BA 11040 bytes
font_01_sfnt_off00010f3b.bin
3c02c4e36bf1bc87fefd62fb07420304eeba9952083569ce482ee19a9894fe6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F3B 18336 bytes
font_02_sfnt_off00013e21.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E21 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.