Malicious PDF — malware analysis report

Static analysis result for SHA-256 31bf7fc34f8904a2…

MALICIOUS

PDF

69.7 KB Created: 2021-04-28 08:55:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 57fc6ae292f7202d098ea7df199d7ded SHA-1: a5e1c968951db108eae2d27a92c30df32883322a SHA-256: 31bf7fc34f8904a29e2229127374ea9ea685e0e80f3277aa1bac8e433d017c14
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links pointing to compromised WordPress sites, indicating a likely attempt to redirect users to malicious content. While no scripts were explicitly extracted, the PDF structure and embedded links strongly suggest a phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kystop.com/wp-content/plugins/super-forms/uploads/php/files/nuek2ikj1lq6bp67j3p5l4u266/88749523626.pdf
    • http://global-gypsum.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607068efeee27---selodewemuko.pdf
    • http://www.rec39.ru/wp-content/plugins/super-forms/uploads/php/files/1d04c042122285e6d75812c50b527742/bowimesime.pdf
    • https://www.spoton.pet/wp-content/plugins/super-forms/uploads/php/files/u1mes54u2vb0an05c8pvodkt92/41216778977.pdf
    • https://www.cocochan.com.pk/wp-content/plugins/super-forms/uploads/php/files/b223706734bbfeca9ec238e6806fd150/wipuxelewo.pdf
    • http://www.nbrownies.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160854d68a9386---65395983416.pdf
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/e2p0fvsmucbgtd2av8a8or4cf2/namulozaroge.pdf
    • https://dermo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608386ab82b51---fumuginasozokodapewesik.pdf
    • https://dmddsgn.com/wp-content/plugins/super-forms/uploads/php/files/afa920bc6f3a79dcbed4c57089eaad6f/21356520379.pdf
    • http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607f707931652---91935189441.pdf
    • https://tecsal.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16085c2813ccf7---risosukuzugofejibawevar.pdf
    • https://www.darrellstuckey.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f1014c188c---vumapadopowiwurobu.pdf
    • https://haps.company/wp-content/plugins/super-forms/uploads/php/files/196vp82sgeft54qiahjadpo5r6/25088001572.pdf
    • http://leap-egypt.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f1183a8c3c---belejeborilitibewuxenik.pdf
    • https://www.asahinadigital.com/wp-content/plugins/super-forms/uploads/php/files/vu42mgmccsocod46t76lbjag6f/22079239109.pdf
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608512b28bf62.pdf
    • https://realestateconnect.us/wp-content/plugins/super-forms/uploads/php/files/ml57tj4k90r62f854h3srshit3/petotugi.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/FevRqgeaUVY/uplcv?utm_term=bumblebee+transformers+songs
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d501.bin
ac7742f29801d966303f2fe2c2ad38ac1796c2314fe45b9078227b09b02c82fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD501 5276 bytes
font_01_sfnt_off0000e6da.bin
570854d86503d11c720c48f3903e0e150a6fea77f6fe27653e0033cd9cb65715		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE6DA 10116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.