Malicious PDF — malware analysis report

Static analysis result for SHA-256 3363c1ba5b1d6c66…

MALICIOUS

PDF

85.4 KB Created: 2021-09-04 09:27:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-18
MD5: bef4396907104cde442a55303dd6b06d SHA-1: e3847dcb0f922fe399bf1837978d74f36bf1ed44 SHA-256: 3363c1ba5b1d6c66b12dd5414989055cf56687b56504e7fba48badf5afacbd62
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document exhibits multiple indicators of malicious activity, including a high ML classifier score and ClamAV detection as a phishing trojan. The presence of a 'Password-protected archive handoff' heuristic suggests the document is designed to trick users into opening a password-protected file, likely to bypass security controls. Additionally, callback phishing lures and numerous embedded URLs pointing to potentially compromised or disposable hosting services indicate a phishing or credential harvesting attempt. No scripts were extracted, but the overall pattern suggests a multi-stage attack where the PDF serves as a lure for a subsequent payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=double+your+growth+through+excellent+customer+service+pdf PDF link annotation
    • http://multi-accueil.fr/ressource/site-image/files/87255057181.pdfIn PDF document text
    • https://otelnamore.com/wp-content/plugins/super-forms/uploads/php/files/a7e3837c56eb4115d9b97b726d081407/19240541740.pdfIn PDF document text
    • http://fanti-fitness.pl/uploads/assets/file/75913645761.pdfIn PDF document text
    • http://iccarrentals.com/files/file/89727906937.pdfIn PDF document text
    • https://nobleanimalsanctuary.org/wp-content/plugins/super-forms/uploads/php/files/tmp/bafafesefatulosesozonig.pdfIn PDF document text
    • https://autotronics.vn/userfiles/file/vibape.pdfIn PDF document text
    • http://jagodkaprzedszkole.pl/userfiles/file/katixuvekitimog.pdfIn PDF document text
    • http://osc-pribor.ru/products_pictures/file/resufedarabu.pdfIn PDF document text
    • http://lapawan15.com/shop/fck_file/file/65746142503.pdfIn PDF document text
    • http://meadclassof1991.com/clients/c/cc/cc689d7a74a098ef67b43942063c7ff9/File/66479884305.pdfIn PDF document text
    • https://www.infratechgroep.nl/wp-content/plugins/super-forms/uploads/php/files/ed6168b31420f920f686fb57c6bb5d2f/texaku.pdfIn PDF document text
    • https://bokseinstituttet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16100ea95ea290---famujinen.pdfIn PDF document text
    • http://inlikeflintlogistics.com/wp-content/plugins/formcraft/file-upload/server/content/files/1612f59b8a4698---sitov.pdfIn PDF document text
    • http://chinocorporatechallenge.com/clients/6216/File/72132386248.pdfIn PDF document text
    • https://facade-metal.ch/ckfinder/userfiles/files/sadazezigeramazoxu.pdfIn PDF document text
    • https://dacsanmyhuongbeti.com/app/webroot/files/images/pages/files/12703133951.pdfIn PDF document text
    • http://rogalafamilyreunion.org/clients/0/0d/0db8e8e54aa701f14f52e26b989c21c2/File/23001581585.pdfIn PDF document text
    • http://project-lovcen.me/userfiles/file/57767391223.pdfIn PDF document text
    • https://akarchlight.com/wp-content/plugins/super-forms/uploads/php/files/5be60d672cd9b1db1939abc3d1753aad/gubupodezefiza.pdfIn PDF document text
    • https://jotekonybakterium.hu/userfiles/files/savupipo.pdfIn PDF document text
    • https://www.die-umzugsfabrik.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083873ae509c---58548863729.pdfIn PDF document text
    • http://euro-ex.net/images/blog//file/wafopetanigexivakowuf.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/6bcd0kqfikssqkf4c4algvj401/51155433722.pdfIn PDF document text
    • http://atthaya.com/file_media/file_image/file/20648434169.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e56e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE56E 11516 bytes
SHA-256: b33f402dd37ad74c1e652a22f1e944c19015161815a69108a8c38da6869b3939
font_01_sfnt_off0001002b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1002B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001183d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1183D 17964 bytes
SHA-256: b146051068921f1fb84d423a3ee595952b8aeae14e9502dc3cb81d5a48690f84