Malicious PDF — malware analysis report

Static analysis result for SHA-256 33236738dc3cd931…

MALICIOUS

PDF

83.6 KB Created: 2021-06-10 10:19:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-27
MD5: 930193ecf31585fd5c324273a30e6241 SHA-1: bca68e882eb6ab851f29f1dc6dc96f1b9f45bfbd SHA-256: 33236738dc3cd93114f746f5a49a72141a961fc179dd9dbaf18ef331edfe9a1c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a link farm pointing to compromised WordPress sites and other disposable hosting, likely serving as a lure for downloading a modified application. The embedded URLs suggest a phishing or social engineering attack aimed at tricking users into downloading potentially harmful software.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=shadow+fight+2+titan+sword+mod+apk+download PDF link annotation
    • http://allaboutdowney.com/userimages/49181986539.pdfIn PDF document text
    • https://bettenbaehren.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606da051d1b25---fejetufamoduzeb.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607db864e0e90---57411479900.pdfIn PDF document text
    • https://him-home.ru/wp-content/plugins/super-forms/uploads/php/files/c68f4ee975b6bd7d9bfffad7ab5981c4/ladavidadusutagazid.pdfIn PDF document text
    • http://rufullthrottle.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f71d2692e6---vupawugadi.pdfIn PDF document text
    • https://www.amiunaorchestra.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160bdcfa7a3a1f---58818672796.pdfIn PDF document text
    • https://sipare.com.ar/wp-content/plugins/super-forms/uploads/php/files/b0g713o6oi69mvqfld7id8fbiv/temilezokotamegibinux.pdfIn PDF document text
    • https://www.heainc.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609af4d1d9a7e---weguva.pdfIn PDF document text
    • https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/160728933b789e---75565067099.pdfIn PDF document text
    • https://audit-advisers.com/userfiles/file/vizodilevaxedojefoguwot.pdfIn PDF document text
    • http://esrafisek.com/images_upload/files/75813306297.pdfIn PDF document text
    • http://sarahscupcakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b2ebb7a852---kukona.pdfIn PDF document text
    • https://takiminsahada.com/wp-content/plugins/super-forms/uploads/php/files/mk6la5flg17k30sooinc4utnj4/51632517948.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/8cmqs0o7n30040kj0j2qduf9q5/wuzagiwomaxom.pdfIn PDF document text
    • https://elitteaccesorios.com/wp-content/plugins/super-forms/uploads/php/files/3183nqm7ih4p6ntignnojeemub/wefivujejam.pdfIn PDF document text
    • https://performanceltg.com/wp-content/plugins/super-forms/uploads/php/files/bfb5cf5700bc3095fc99eb7688d6d1d8/92453333028.pdfIn PDF document text
    • https://butchercurnow.com/img/shop//contents/97110265643.pdfIn PDF document text
    • https://edmaker.site/wp-content/plugins/super-forms/uploads/php/files/75f561b466ca5f656892985361df114a/ninomasufugeleridoj.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df26.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF26 2900 bytes
SHA-256: ea2be6eb89ab0d183412f8be2b49d14b97937311539abd67af8ccd1153281577
font_01_sfnt_off0000e981.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE981 5844 bytes
SHA-256: ad2fdb5353daeab07e906f16d7839765fb01d3eabebca007c7bf6a03ccab0fbc
font_02_sfnt_off0000fd4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD4E 4740 bytes
SHA-256: fbd3e119689f62aa08b4316ea7a84a043433bd35c813a46a0f8c906fe87ee3fb
font_03_sfnt_off00010bed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10BED 23764 bytes
SHA-256: c8c2c175b4073515d7886644595b7acbf3550260dd308a84f0bf4d3664b4a315

Open this report in the interactive analyzer, or submit your own file for analysis.