Malicious PDF — malware analysis report

Static analysis result for SHA-256 392f3c4a023b439b…

MALICIOUS

PDF

77.5 KB Created: 2021-06-09 19:04:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-13
MD5: 1d11ad9bbf69efa5bc3006918f32eb94 SHA-1: 5f5844ff9f9ecb621598adbce6b0bb46e743a76b SHA-256: 392f3c4a023b439b418f60df6ad068b7fda08c815c748028a016f828fb1dbd6b
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing or trojan delivery mechanism. It functions as a link farm, directing users to download further malicious PDFs from compromised WordPress sites and other disposable hosting. The document body, though heavily obfuscated, contains text related to book downloads, suggesting a lure to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8746

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nomylo.ru/uplcv?utm_term=aithihyamala+malayalam+book+pdf+free+download PDF link annotation
    • https://www.drserapkagan.com/wp-content/plugins/super-forms/uploads/php/files/und79lab1f86f3rs4be17ectgh/28137727635.pdfIn PDF document text
    • http://aldo-ins.com/userfiles/file/vopej.pdfIn PDF document text
    • http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b72c5f2944---42587398665.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/342c7858d4d361f1f5482ef3b9d87007/89007579451.pdfIn PDF document text
    • http://asu.com.vn/wp-content/plugins/super-forms/uploads/php/files/1e86lp4a63a8000s1aksk8jo1g/56908934061.pdfIn PDF document text
    • https://www.hungryalex.com/wp-content/plugins/super-forms/uploads/php/files/7vfugv7u827r2ab1j1imbirdub/54845875752.pdfIn PDF document text
    • https://remoteworkerclub.com/wp-content/plugins/super-forms/uploads/php/files/1a77fda74769f8e90fc6ce57fe3b5926/midomigidokedupanetid.pdfIn PDF document text
    • http://elenasteele.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bc9cd307825---nulikowupepifotabom.pdfIn PDF document text
    • http://rolmech-strzelno.pl/Upload/file/25567924121.pdfIn PDF document text
    • https://absolut-fit-and-dance.de/wp-content/plugins/super-forms/uploads/php/files/em77uqc7ltc9rp2h0l2ct458us/fetugo.pdfIn PDF document text
    • https://mrmobilewebsite.agency/wp-content/plugins/super-forms/uploads/php/files/7361a9d9d81f6bab23666875bc895109/kakizavozet.pdfIn PDF document text
    • https://home18.ru/wp-content/plugins/super-forms/uploads/php/files/44f115c0ed770840c126829c8f6025b7/kamuti.pdfIn PDF document text
    • http://buddhavehicle.com/userfiles/file/44092626028.pdfIn PDF document text
    • http://raunlarose.us/wp-content/plugins/formcraft/file-upload/server/content/files/160984ce66c1d4---19791240073.pdfIn PDF document text
    • https://acronimocostanzo.com/userfiles/file/33137561905.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • http://smc.org.in)MeeraRegularMeera2016SMC7.0.0+20171102HussainIn PDF document text
    • http://smc.org.inhttp://smc.org.inIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • https://gitlab.com/smc/meera/blob/master/COPYINGIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eaec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEAEC 5492 bytes
SHA-256: c60441626e9e610698ce5bf557cb05a63f48c391c08ca90da00ddb72be9550f3
font_01_sfnt_off0000fd83.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFD83 6080 bytes
SHA-256: 80a33fca7c888e1672357a91170674427bd97ce78c0697b65caa0edba01295ee
font_02_sfnt_off00010e07.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E07 6364 bytes
SHA-256: e19906556686cc7f3b0a1840b079e86903d4b49ae5f379ba88acb638cf270b8d