Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e350a5434b02dad…

MALICIOUS

PDF

92.0 KB Created: 2021-07-10 07:37:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20
MD5: d34bfcdb7ea56398d7c56bff5e1e2dba SHA-1: 0284f7dd93179b273974b00f35fb2b429ea1de89 SHA-256: 3e350a5434b02dad7212f0c8f433ef555f9958b4e699afa825359c6f2dc1aa4e
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a high-confidence ML classifier and ClamAV detection. The SE_PAYMENT_REDIRECT_LURE heuristic indicates the document's content is designed to trick users into believing there are new or changed payment instructions, a common tactic in business email compromise scams. The numerous embedded URLs, many pointing to compromised CMS upload storage or disposable hosting, suggest a link farm designed to redirect users to malicious sites for potential financial fraud or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://covinahigh1980.com/clients/1/14/147ee80f0cf2e08ca1b5067d21485a43/File/sijosikule.pdf In PDF document text
    • https://estidevelopers.com/wp-content/plugins/super-forms/uploads/php/files/e6f5f80ff40daccd92ccf0f0730e1501/25517206983.pdfIn PDF document text
    • https://www.adelaarenergy.com/wp-content/plugins/super-forms/uploads/php/files/rq9avq28vs8ac54c58n68qt1jr/rekiwin.pdfIn PDF document text
    • https://kalatranslation.co.uk/wp-content/plugins/super-forms/uploads/php/files/6itd0cvuu50umhj7ecvepc10t9/boxuvifarozavupefalukib.pdfIn PDF document text
    • http://nc-israel.ru/upload/files/xebinafanekejabudel.pdfIn PDF document text
    • https://www.grandeprairie.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606d977a64c55---taxexemegu.pdfIn PDF document text
    • https://nutricionintravenosa.com/wp-content/plugins/super-forms/uploads/php/files/9562e3d1fd0486f3ad7e91bc06ba781a/kinowobakazebidu.pdfIn PDF document text
    • https://www.brunosistemi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ae4b1c4a35c---97859696893.pdfIn PDF document text
    • http://principessavencanice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bfb4e91e16c---padodozubumujulezegux.pdfIn PDF document text
    • https://marksiegeldds.com/wp-content/plugins/super-forms/uploads/php/files/1187fe7dac35f2f8641b042f691d4dd3/nugujixejadagor.pdfIn PDF document text
    • http://millecolori.it/images/file/63596743527.pdfIn PDF document text
    • https://acrgroup.nl/userfiles/file/14906728377.pdfIn PDF document text
    • http://elementsgogreen.com/userfiles/file/mopusixutenirixadina.pdfIn PDF document text
    • https://inlandautorepairmurrietaca.com/wp-content/plugins/super-forms/uploads/php/files/8812800596a27b9d2722e48bf4c14eec/87971180595.pdfIn PDF document text
    • http://15449010.com/FileData/ckfinder/files/20210618_26D18C5844136A25.pdfIn PDF document text
    • http://quickfix-poland.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d5fa30f65e---92683815839.pdfIn PDF document text
    • http://iphonedown.com/ckfinder/userfiles/files/33832049501.pdfIn PDF document text
    • https://higher-reason.com/wp-content/plugins/super-forms/uploads/php/files/73pu7ueeevkmidk8omcane7u5k/59635579425.pdfIn PDF document text
    • https://purpleleafestatebuyers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607523ed4638f---pikukaz.pdfIn PDF document text
    • http://bbpcosmetics.com/admin/upFiles/2021-7/file/tetabekupesimomidatogasos.pdfIn PDF document text
    • http://www.dadosefatos.net.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b63aa0cd3f6---69014933488.pdfIn PDF document text
    • https://siphouse96.com/wp-content/plugins/super-forms/uploads/php/files/7fc8ebdde58f47f8dc1ac1728e733cee/3554828153.pdfIn PDF document text
    • https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/v1gs5lfa7leqj44f6sjo7gfd1f/jozopakefagademowulejo.pdfIn PDF document text
    • https://churchosonline.com/wp-content/plugins/super-forms/uploads/php/files/d1d330109dbfcc06d05f698270b074dc/meliled.pdfIn PDF document text
    • http://teenaramainc.org/clients/875997/File/48191312702.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=so+you+are+a+man+of+culture+as+wellPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000102e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x102E5 10780 bytes
SHA-256: 2147c900cd576d2d8a0dc12139aee2e2066d3d81a819146f6db2381bc95ae3de
font_01_sfnt_off00011bd9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11BD9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000133eb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x133EB 17664 bytes
SHA-256: 62f1d6c36991a29f9049e4802529d10064dc4813673a8cbf72c53c9ac8074b5f