Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f110597f7ed4063…

MALICIOUS

PDF

88.5 KB Created: 2021-06-30 23:34:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: a4cbc0da37f1b0ff115b6aaa9d14167f SHA-1: ee02c28e07bdc5ce6b62a09a57fd147cbb3d7baf SHA-256: 2f110597f7ed40635ec067701623d86aaae11654b6c37b0936f6bec151e8a39d
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document exhibits characteristics of an advance-fee scam, using urgency lures to prompt user interaction. It contains numerous links to external websites, many of which appear to be compromised WordPress installations or disposable hosting, suggesting a phishing or malware distribution campaign. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to redirect users to a malicious site or download a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9947

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=new+york+annual+conference
    • http://sity-luxe.ru/userfiles/file/puwetolefi.pdf
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/afehci52p3sa9pijuvbv3qcs5j/24137211547.pdf
    • https://musikkursus.dk/userfiles/file/66846964326.pdf
    • http://discarga.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0399d8a3b7---60845258933.pdf
    • http://easyreturn.store/userfiles/file/wizutabosof.pdf
    • http://kazenergy.kz/wp-content/plugins/formcraft/file-upload/server/content/files/1607d72a363302---lanosuwijomil.pdf
    • https://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0e1de818c0---55891048251.pdf
    • http://antwerp-rentals.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b45be28bbb3---tabat.pdf
    • https://www.marbelitesa.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160b75673c6e80---bizife.pdf
    • http://kazenergy.kz/wp-content/plugins/formcraft/file-upload/server/content/files/160da2d10d22af---mesawolakokutulifunelakav.pdf
    • http://paintingservicesonline.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160845fc7146a7---72881132840.pdf
    • http://ccswcd.com/userfiles/file/vepaxezajudogage.pdf
    • http://cariboohose.com/userfiles/file/rewegasurob.pdf
    • http://alpanelektrik.com/depo/sayfaresim/file/dagafirowivobijogefa.pdf
    • http://www.rebranded.tv/wp-content/plugins/formcraft/file-upload/server/content/files/16075f595cc161---naxalosuvodujasifaxodex.pdf
    • http://svs-pm.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074ade3efa9b---lekesigavesitofo.pdf
    • https://inclinedigital.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c69818d371---34157888427.pdf
    • http://thefjordbaklawfirm.com/clients/876731/File/45890618684.pdf
    • http://www.lauricedale.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160d561f02d4c8---81913133579.pdf
    • http://asesorialuishervas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160abee8add5c0---12199207807.pdf
    • http://quickvideo.nl/userfiles/file/nifalesozifilutesesubap.pdf
    • https://www.advids.io/wp-content/plugins/formcraft/file-upload/server/content/files/160acfc3238769---26997653091.pdf
    • http://bizwd.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bab50ad1bee---30380124589.pdf
    • http://lovewhereyoulv.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/404fd0ee94365edf35b3bbb15ebae562/77752000055.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f8b4.bin
870ef0536ab23e5faeb88357bf98c2803ea4b292b9e39cd7dcfa6200c2fadaf5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8B4 10340 bytes
font_01_sfnt_off0001103d.bin
a7398f8f444bcb6c7327e1a6ea9cb5f41092b0f950c638dce8e6022aeaa21772		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1103D 17028 bytes
font_02_sfnt_off00013cb3.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13CB3 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.