Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f78362cfecd86db…

MALICIOUS

PDF

182.8 KB Created: 2021-08-09 18:18:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c3dbd409c256585ef4c7fcd2821eaaee SHA-1: 0947ac08535a0d694b249a5aabfafb078c72ea8b SHA-256: 4f78362cfecd86db6ec479dec9390d42f1da0453ed16758a7bf011289cc0c770
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV, indicating malicious content. The presence of numerous links pointing to potentially compromised websites and the 'SE_ADVANCE_FEE_SCAM_LURE' heuristic strongly suggest the document is designed to trick users into visiting malicious sites, likely as part of an advance-fee fraud scheme. No scripts were extracted, but the document's structure and URL patterns are indicative of a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=fahrenheit+451+summary+section+1
    • http://steakclubhn.com/campannas/file/34149699756.pdf
    • http://www.gainerwindows.ca/wp-content/plugins/super-forms/uploads/php/files/dc3ppusbr11jnlin49a9b65kd4/sovakokivejov.pdf
    • http://high-keenltd.com/userfiles/file/73657744217.pdf
    • https://amkboiler.com/wp-content/plugins/super-forms/uploads/php/files/ah0a2u3k76apfc5kuckibgm27l/78268048341.pdf
    • http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160941d4c287ed---70324980157.pdf
    • https://hylyt.co/wp-content/plugins/super-forms/uploads/php/files/0cd938f7f238042f21570cca82caa117/vemevosa.pdf
    • https://www.dyna-tech.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607c09f5dc8a5---87917672061.pdf
    • http://palyavalaszto.hu/teszt/upload/file/sujavanasegudo.pdf
    • http://ascensionchina.com/userfiles/file/lalikepikomusemepuratone.pdf
    • http://www.restorationservice.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160877d4313809---gafimuxiwapowatolasawi.pdf
    • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609aab9033c88---kizitebizapivakapenidox.pdf
    • http://auto-spec.ca/fck/file/92629858058.pdf
    • http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b0c092350fd---82741505550.pdf
    • http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087b07c8ee7e---jojegaxivabawujugel.pdf
    • http://brodart01.com/wp-content/plugins/super-forms/uploads/php/files/dbrk2ov8qsefmdkt8id03irsql/wusuxidikunukeni.pdf
    • http://bagandpack.ru/wp-content/plugins/super-forms/uploads/php/files/f5871c685a5121eed797f50b68e0df23/6521070213.pdf
    • http://www.gradur.ba/wp-content/plugins/formcraft/file-upload/server/content/files/1607fc9d30195f---fodawefujibid.pdf
    • https://louvre.lv/res/wysiwyg/file/wopobutip.pdf
    • http://www.combatsim.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160bef6a62573d---wefukire.pdf
    • https://1sis.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609cacacd0b23---51152916148.pdf
    • http://analogsys.com/uploaded/file/125543184060a48e06a8782.pdf
    • https://creationstationdance.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083da9821fdd---95905503713.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00026a5b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26A5B 16792 bytes
font_01_sfnt_off00028272.bin
ebacdc5d01456b71a5fbc6b4badac8116cbdbf816a8818716d18fe9890d3c117		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28272 10904 bytes
font_02_sfnt_off00029ba9.bin
7ae2da676df541ae823c9e7ae198f8da6c15419144a74127c7de6913e9d42445		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29BA9 19088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.