Malicious PDF — malware analysis report

Static analysis result for SHA-256 302e402dcbfe43f4…

MALICIOUS

PDF

939.4 KB Created: 2021-06-25 21:54:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 77589024dd3dd2650293bbd6b1648625 SHA-1: 274f404a482586b0e5a20722b4c3249ef6e38d02 SHA-256: 302e402dcbfe43f4774176913f86b61738e510a358366c929dbc568ed6388789
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample exhibits characteristics of an advance-fee scam, presenting itself as a payment or parcel notification to entice users. It contains numerous links to external PDFs hosted on compromised WordPress sites, suggesting a distribution mechanism for further malicious content. While no scripts were directly extracted, the PDF structure and embedded links indicate a lure for users to download and potentially execute further payloads.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2798

Heuristics 6

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://b2cexpressdemo.com/userfiles/file/danerulibugobufaxifavoj.pdf
    • http://iideree.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607060004b488---45119611125.pdf
    • https://mosoptagro.ru/wp-content/plugins/super-forms/uploads/php/files/845f15356f2622aa1e5106d21a4e2142/lerogaxavokapumibet.pdf
    • http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090f685625dc---witikoxur.pdf
    • https://realestateconnect.pro/wp-content/plugins/super-forms/uploads/php/files/i37hq72vkdbcugr5lmnnm5pug6/sumoboledevalojikifujafuf.pdf
    • https://www.ediliziaindustriale.com/wp-content/plugins/formcraft/file-upload/server/content/files/16093f9e5028ba---xijuv.pdf
    • https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/d7pbj8rlmoc3l4o7v5lv6scg4q/vivejiboxere.pdf
    • https://thehamptonsbloomington.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f6baee457c---61442780994.pdf
    • https://doanhnghiepvietnam.org/img_duhoc/files/17025710798.pdf
    • http://aj-logistics.com/stock/userfiles/file/lolatipoxakitujopotipe.pdf
    • https://baileyelectrical.services/wp-content/plugins/super-forms/uploads/php/files/921kte3a84anr7qrq02culjba2/21050945011.pdf
    • https://dehayemek.net/upload/ckfinder/files/ridajope.pdf
    • http://akicgiyim.com/userfiles/file/nefofokuzuxofor.pdf
    • http://dangkyidol.com/wp-content/plugins/super-forms/uploads/php/files/bv5va4kijl6t3inrhfoj1ukc07/kabowazab.pdf
    • https://aawyx.com/sites/default/imageuser/file/86857954137.pdf
    • https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/cc683ff52b031574648cf13c85143076/velijejikisinazusugezuxaw.pdf
    • http://smartmedicaleg.com/wp-content/plugins/formcraft/file-upload/server/content/files/160865336506b0---40494696990.pdf
    • http://conroeclassof72.com/clients/d/de/de0acc14889d5d69ce6a2e221f3e79cd/File/duranupetonezekagaxabago.pdf
    • https://lesfeesdelhetre.fr/upload/files/52953940094.pdf
    • https://wamsconference.com/wp-content/plugins/super-forms/uploads/php/files/17f891a5f2e56e255139e6e8474759b1/63747176683.pdf
    • http://pebyte.com/wp-content/plugins/super-forms/uploads/php/files/a3md1giu4fa6120t5ll2i12vls/moligizoxixuwigogivupev.pdf
    • https://sasalidayanisma.org/uploads/file/98448272266.pdf
    • http://c2mag.com/wp-content/plugins/formcraft/file-upload/server/content/files/160966dd299e46---52654318663.pdf
    • http://www.zopfitravel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f271e1092f---73989807072.pdf
    • http://asiavent.com/UserFiles/file///66281037382.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1xuhb7AK25c/uplcv?utm_term=monica+fairview+wives+with+knives
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000e13a0.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE13A0 16792 bytes
font_01_sfnt_off000e2bb9.bin
60c087fdd259cd946c1ae2bb7cd2573929257909643d5e33d86e3d10c54fd550		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2BB9 2308 bytes
font_02_sfnt_off000e35c8.bin
abb4ea5cd74998ec6abe47ff0579b09deed0f64d686670a5829d74c2aa0b3920		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE35C8 22508 bytes
font_03_sfnt_off000e6c76.bin
3ebd486235ab6c407a74d98ab9e1cf09d7661342c8c98090703f1c8ee3396579		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6C76 16164 bytes
font_04_sfnt_off000e81ee.bin
4184398a540575548fda6f5fd2c0413a3350aa7b7e83d925e8cc4aa925e8aa96		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE81EE 10624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.