Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e823568851b9980…

MALICIOUS

PDF

225.7 KB Created: 2021-08-02 06:45:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 3c87bc7c5360a23d30392b8081d01897 SHA-1: a180e4e3763898aa369e1f7611f27a8a061e7e92 SHA-256: 3e823568851b99809138b0c9b178c8e7e6b12a6cdc78880ba96042ca9b4b5eb2
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple links to external resources, many of which point to compromised CMS upload directories. The heuristic 'PDF_RANDOM_URL_LINK' and 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' indicate a high likelihood of the document attempting to redirect the user to malicious content. The ML classifier and ClamAV detection further support its malicious nature, suggesting it's a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9852

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.publicitymailing.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1606c7cde2214d---fidotatizoxujuzulilesedo.pdf In PDF document text
    • https://spitalmoldovanoua.ro/ckfinder/userfiles/files/sulojenakinozebebilidejal.pdfIn PDF document text
    • https://antae.be/app/webroot/uploads/file/27771573940.pdfIn PDF document text
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/hm1lbm2pn4k3in588qp6t3c3q0/talegawe.pdfIn PDF document text
    • http://arenda-v-novosibirske.ru/ckfinder/userfiles/files/gexijufipepezukoda.pdfIn PDF document text
    • https://gfow.om/wp-content/plugins/super-forms/uploads/php/files/elpio7gbok1r957gl25b9251sj/latunoba.pdfIn PDF document text
    • http://ngocvietbungalow.com/upload/files/votaso.pdfIn PDF document text
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088cfd10ea39.pdfIn PDF document text
    • http://unipell.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160af925b1328b---36476395734.pdfIn PDF document text
    • http://subventionsbetrug.de/wp-content/plugins/super-forms/uploads/php/files/7k7kc06unf3m15ma2nlmhakloh/10890463376.pdfIn PDF document text
    • http://tks-forever.com/upload/2021/07/05/file/40752111774.pdfIn PDF document text
    • http://alexandraharris.com/clients/36054/File/lawujomozixijusedo.pdfIn PDF document text
    • http://cesishotel.lv/res/wysiwyg/file/zitawozebugeka.pdfIn PDF document text
    • http://cycling-software.com/files/file/dubizalabiwekabur.pdfIn PDF document text
    • https://fonixkoncert.hu/upload/file/xekiw.pdfIn PDF document text
    • http://elijasprojekts.lv/files/file/nefesomafidiliwepabezuxoz.pdfIn PDF document text
    • http://worksafeorg.com/wp-content/plugins/super-forms/uploads/php/files/aaoamf7v0sd482m6ei8ip19hj0/lowiwitugepamogifaliwab.pdfIn PDF document text
    • http://aa-nusd.jp/kogasamejejenati.pdfIn PDF document text
    • http://www.belladermeestetica.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bc0cf4a2f00---83002679059.pdfIn PDF document text
    • http://shield-in.com/userfiles/files/kuvunesitevoxopavinos.pdfIn PDF document text
    • https://boumqueur-edition.com/upload/fckeditor/file/sapixevosogogememozamod.pdfIn PDF document text
    • https://etadelloro.it/images/file/53151778578.pdfIn PDF document text
    • http://propellerclubsandiego.org/uploads/files/78411496366.pdfIn PDF document text
    • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a26dae16eda---lesevisi.pdfIn PDF document text
    • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/m9gnuksnrcrugdp3n4vm7qho42/rujovemisaguxuvur.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=is+there+a+frozen+3+coming+out+soonPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000310f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x310F2 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00032909.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32909 11020 bytes
SHA-256: 977aa342338f22cc5efad43236eea1d8e8fc681d7ffca02706c197796ee7044a
font_02_sfnt_off00034298.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34298 20996 bytes
SHA-256: 97bef6cc427af800d63ec72c1ffeb89ed956dc85ef51ee4696e419c5cd5396c5