Malicious PDF — malware analysis report

Static analysis result for SHA-256 4531aa05e427f050…

MALICIOUS

PDF

1.04 MB Created: 2021-08-12 01:15:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: e641d62f8c76d53e7abf887b80cec5c9 SHA-1: 5c960752e2539a6d7d99e64cbf437596c9549c1d SHA-256: 4531aa05e427f05026f318879ab6ab2add894d0bd2f65433a6847412d25c6656
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1539 Steal or Harvest Credentials

The sample is identified as malicious by ClamAV and exhibits characteristics of a phishing lure. It impersonates a cloud document service and requests MFA confirmation, likely to harvest credentials or session tokens. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document's purpose is to trick users into downloading a password-protected archive, often used to bypass security filters. No scripts were extracted, but the presence of numerous URLs pointing to compromised WordPress sites and file-sharing services indicates a distribution mechanism for malicious payloads.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3199

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=2014+forest+hills+drive+album+zip+download+dopefile PDF link annotation
    • http://thesetnews.com/images/fckeditor/file/rovuz.pdfIn PDF document text
    • https://windfreeklima.com/upload/ckfinder/files/xujageruxugajenukexe.pdfIn PDF document text
    • https://connect.allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/ab638008bc32864e60bf0d0c02f95ccc/71595029274.pdfIn PDF document text
    • http://shannonlakeestates.org/fck_images/file/52836498091.pdfIn PDF document text
    • https://diversified-nj.com/wp-content/plugins/super-forms/uploads/php/files/94e437888249aec2f7818e2b64519bd2/fimabitowupidizimo.pdfIn PDF document text
    • http://svx.su/ffile/file/78424341837.pdfIn PDF document text
    • http://msci.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/160a985fa14dd0---riwaga.pdfIn PDF document text
    • http://nakamurasangyou.jp/app/webroot/uploads/files/71775181806.pdfIn PDF document text
    • http://reszke.pl/fckeditor/editor/filemanager/connectors/php/file/15977237784.pdfIn PDF document text
    • http://waltwhitmanhsclassof1970.com/clients/3/38/385e9ad2c098ba3bcab8db81b262ab1e/File/ravubep.pdfIn PDF document text
    • http://lawcab.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16105e6a9745b0---56282786044.pdfIn PDF document text
    • http://banghetretunhien.com/media/ftp/file/zomawemonoli.pdfIn PDF document text
    • http://www.reroofingbrisbaneqld.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16093b616e3c33---57467580900.pdfIn PDF document text
    • https://phatgiaolongan.com/upload/ckupload/files/fakewodatemowikafiwa.pdfIn PDF document text
    • http://chandigarhdatarecovery.com/files/file/temikonapoxibivupudokawo.pdfIn PDF document text
    • http://qtjdb.com/UploadFile/2021/05/15/file/20210515_165501_191.pdfIn PDF document text
    • http://officinedesign.it/userfiles/files/11221658081.pdfIn PDF document text
    • http://www.olympussverige.se/wp-content/plugins/super-forms/uploads/php/files/ppklm4841b0uei9cn1pu4ne06d/bavubepurovabadegebal.pdfIn PDF document text
    • http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/1607701a77083e---82170090201.pdfIn PDF document text
    • http://www.grupohk.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606f968286d27---tawuruzenupewilem.pdfIn PDF document text
    • http://makaifruits.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4ee7bf376a---femupojosutusu.pdfIn PDF document text
    • http://asokmontridental.com/userfiles/file/lovoxamuwobeduwapadi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00103d87.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103D87 11488 bytes
SHA-256: 983eebf5997ec9f1c3c67fdecac3f40a06767f9ac754b98555f27e9371a80741
font_01_sfnt_off00105881.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x105881 15804 bytes
SHA-256: bb5f693807b9903e9db98d6620baacd6882ce6793c05554421437cbda73cf556
font_02_sfnt_off00108118.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x108118 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1