Malicious PDF — malware analysis report

Static analysis result for SHA-256 353dc668047313d6…

MALICIOUS

PDF

302.4 KB Created: 2021-07-21 06:35:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 943b3ba3ad2148d19071322e2dddf955 SHA-1: 77ee48627bc78e674d7de06e8562157a5e46918b SHA-256: 353dc668047313d6802b68bdf61c194ed99c8e13aa5840211d5ad95b8e94c033
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple links to external resources, with a high-confidence heuristic indicating a random URL link. One such link points to a compromised WordPress upload storage, suggesting an attempt to host malicious files. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://activepymes.com/pub/file/25169158817.pdf
    • http://brukbet.com/user_images/file/kufunujesipifit.pdf
    • https://xn--80aaaglcftt5alesfkk7f.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/dc09b0e92c66d78ddae1753f46e13279/37908828370.pdf
    • http://imreelectric.sk/uploads/file/nimojadodemixibowuguvuze.pdf
    • https://airshow-bg.com/file/53242232022.pdf
    • https://nutricionintravenosa.com/wp-content/plugins/super-forms/uploads/php/files/0aa7267e71c59bed74b7bd9aaa0a341f/gifudebuxe.pdf
    • https://jurad.eu/files/file/94559494350.pdf
    • http://verkoop-je-wagen.be/wp-content/plugins/formcraft/file-upload/server/content/files/1608e756e2bf40---fusapijufisegazo.pdf
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/71268b93572c10236ffa4ac32a802a34/55848557795.pdf
    • http://liavanhaeringen.nl/userfiles/files/vivetonaj.pdf
    • https://amiablediamonds.com/wp-content/plugins/super-forms/uploads/php/files/d87ec7d1c8e85c6f3802db97c6c8f317/31170705404.pdf
    • http://artistalexanderkanevskyroyalshakespeareglobetheatrelondon.com/clientMedia/file/punipejodusi.pdf
    • http://righetti-ticozzi.it/userfiles/files/sagoz.pdf
    • http://lirealestatelitigator.com/wp-content/plugins/super-forms/uploads/php/files/3b3319ec43b2db054594dc02a637fe8b/26546099379.pdf
    • https://www.andyselfstorage.co.uk/wp-content/plugins/super-forms/uploads/php/files/6lkktp0f3f5kr0cdtbkh0226gd/73124157119.pdf
    • http://www.elitagida.com.tr/wp-content/plugins/super-forms/uploads/php/files/dea5hsaa97o6tn9f22m14v3hi6/81763329428.pdf
    • https://dgaspcsm.ro/ckfinder/userfiles/files/70482350972.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=matlab+a+practical+introduction+to+programming+and+problem+solving+solutions+manual+pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004380b.bin
afe50860057ba3e72c013a0e9faa0bc52b646eb1b711482a612cadd142b130a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4380B 1840 bytes
font_01_sfnt_off00044162.bin
534fbbcfc9102c294d5895d9bed5b453511ee67cb9ef6643a29ef504046bc907		 pdf-font-stream PDF embedded font (sfnt) at offset 0x44162 20172 bytes
font_02_sfnt_off000477df.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x477DF 16792 bytes
font_03_sfnt_off00048ff6.bin
dda49c936bfceddd5633cd14f3cfa443f0145e747d64902dbbab53fd28542ab0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48FF6 11260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.