Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e3d52cb4ccf2026…

MALICIOUS

PDF

88.8 KB Created: 2021-07-09 02:51:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: a1f6ccd012b3c4d2385558bef2bd8055 SHA-1: c76a2e8ecb1623b3d45605d75bc2321f66c29457 SHA-256: 3e3d52cb4ccf2026fce015ae737f20b24cb1844814e61be4d838c68d2ed5c8f9
256 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1539 Steal or Harvest Credentials

This PDF document is identified as malicious by ML classifiers and ClamAV, and exhibits characteristics of a phishing lure. Specifically, it requests recovery secrets or MFA confirmation, aligning with credential harvesting tactics. The document also contains numerous links to potentially compromised websites, suggesting it is part of a larger phishing infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://albino-pitti.com/pub_img/file/95955551133.pdf In PDF document text
    • https://ifacemount.com/wp-content/plugins/super-forms/uploads/php/files/pqrpcsdvn2s2pp7ur0ikc2pb21/bewivogijetobuvuk.pdfIn PDF document text
    • http://elyriahigh1974.org/clients/0/05/052ab20d644b737728595af1a47b4450/File/73036150350.pdfIn PDF document text
    • https://fourseasons.events/wp-content/plugins/super-forms/uploads/php/files/3b47bf66b906d16dcb334c08309f3b13/muroz.pdfIn PDF document text
    • https://noks.cz/wp-content/plugins/formcraft/file-upload/server/content/files/160df17b44ab56---63330326017.pdfIn PDF document text
    • https://funkydrop.shop/wp-content/plugins/super-forms/uploads/php/files/478fd5aa1e81396614a36d67b8917ee0/susimuse.pdfIn PDF document text
    • https://snabavto.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606e40f909fee---fozisabedavorawibazuto.pdfIn PDF document text
    • https://dispomydeal.com/wp-content/plugins/super-forms/uploads/php/files/481c658aa617df532ae1b825089bf335/konikijowo.pdfIn PDF document text
    • http://www.investing-in-women.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e2b6cea620f---39688049576.pdfIn PDF document text
    • https://svetpoznaniyaonline.ru/wp-content/plugins/super-forms/uploads/php/files/63e2e0cf0a06a298e7feec562a823707/sovozaviririni.pdfIn PDF document text
    • https://www.movingwithmagna.com/wp-content/plugins/super-forms/uploads/php/files/b46c1e844c3622631c5ddfea9317084d/faloma.pdfIn PDF document text
    • https://www.hontoys.com.au/wp-content/plugins/super-forms/uploads/php/files/ej12mn4nm868a95utj854le7p3/74552304655.pdfIn PDF document text
    • http://cunningham-reunion.com/clients/7/73/7399477c88ef979e1ad3ac38e42cffcc/File/wuxakenokoluxowudix.pdfIn PDF document text
    • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076ece64477f---detupokozelokamuxidusujiv.pdfIn PDF document text
    • https://shotclock.ca/wp-content/plugins/super-forms/uploads/php/files/5b98f7ffd694a73bbabdc6d8ff185adb/pimenisoxasubug.pdfIn PDF document text
    • http://montagnobozzone.it/userfiles/files/74739522823.pdfIn PDF document text
    • https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099dc4fbc2fd---3180604049.pdfIn PDF document text
    • https://advance-pack.com/editor_upload/file/lutanil.pdfIn PDF document text
    • https://alihuata.com/userfiles/file/14450707802.pdfIn PDF document text
    • https://skyfireconsulting.com/wp-content/plugins/super-forms/uploads/php/files/csmen8tvpeero3quplv7tkkot1/dokoz.pdfIn PDF document text
    • https://comfort8889.com/upload/files/92082531239.pdfIn PDF document text
    • http://loscogliodifavignana.it/userfiles/files/39480227303.pdfIn PDF document text
    • http://hodinovysoused.cz/upload/file/fesaluvuvezok.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/PmAiG5ZyT-k/uplcv?utm_term=recover+psn+account+without+birthdayPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f3b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3B3 11116 bytes
SHA-256: be0866e38da6e18a780a1ab65005049c1992b476b8fe7a9901f3e7bbb42f65bc
font_01_sfnt_off00010d71.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10D71 17744 bytes
SHA-256: c29aef9b689cccf14dceb2d0be4d15de5662d8db2de669b981c476ad784718e9
font_02_sfnt_off00013c17.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C17 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.