Malicious PDF — malware analysis report

Static analysis result for SHA-256 53d02761d30aa899…

MALICIOUS

PDF

88.2 KB Created: 2021-07-14 09:30:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 9d59eb104bcdd144bfe8e01f9eff4a1f SHA-1: 5a2c860ecca1c933c7e8919ea586ff70991daae0 SHA-256: 53d02761d30aa89932b54f7f46971c17550210a21e909d25849f36b3af4dec71
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document exhibits characteristics of a phishing attack, employing a fake invoice lure to entice users to click on embedded links. The presence of numerous external URIs, many hosted on compromised WordPress sites or disposable domains, strongly suggests a malicious intent to redirect users to potentially harmful content or malware downloads. The ML classifier and ClamAV detection further corroborate its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9947

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=30+days+upon+receipt+of+invoice PDF link annotation
    • http://eiak.org/upload/editor/files/winijatugaberimodawemov.pdfIn PDF document text
    • http://sclifeguards.com/clients/16854/File/xabudisomudoxad.pdfIn PDF document text
    • https://3dreamvr.com/wp-content/plugins/super-forms/uploads/php/files/908bb4424f59edf59e2c424ec071b907/zutoginatimarixogalin.pdfIn PDF document text
    • https://securitydm.rs/slicice/file/54905460996.pdfIn PDF document text
    • https://advancedcheckcashadvance.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608e74e600c96---podoxewimuxefu.pdfIn PDF document text
    • https://sv-fin.ru/wp-content/plugins/super-forms/uploads/php/files/282e1677d954e7e66ac15af6f0f26d6e/lefujirepetov.pdfIn PDF document text
    • https://harpethvalleyhealth.com/wp-content/plugins/super-forms/uploads/php/files/52a8c69a8706f5a9966d3e3d3924247d/niwobuxeme.pdfIn PDF document text
    • https://www.techsrollout.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083d42018218---bemowosorefarunebadil.pdfIn PDF document text
    • https://xistenze.com/files/files/61384010180.pdfIn PDF document text
    • http://www.iqubz.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089ae9306a64---81240669156.pdfIn PDF document text
    • https://drahmetbostanci.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071c21f99acc---kuzeputidulakiserizutej.pdfIn PDF document text
    • https://maugli24.ru/wp-content/plugins/super-forms/uploads/php/files/1feeb0117ed47ab751340d0aecb7a305/putomununosowepa.pdfIn PDF document text
    • http://ranaghatpchsschool.org/userfiles/file/lunaxutimadojepurerofa.pdfIn PDF document text
    • https://www.frontierexim.com/wp-content/plugins/super-forms/uploads/php/files/en1sg84s5dujscuvcmt4f6dlac/67564708500.pdfIn PDF document text
    • https://akproauto.net/nbloom/fckuploads/file/jovasokiwitatukibobawu.pdfIn PDF document text
    • http://cityhelps.org/clients/6/61/61afa7a028a8e04f14432b0fece6f2b0/File/wenarilob.pdfIn PDF document text
    • http://mientaytourist.com/uploads/files/51749660067.pdfIn PDF document text
    • https://www.frontierexim.com/wp-content/plugins/super-forms/uploads/php/files/ka9ur6qapatbc3oqpn8tcps60l/23659773733.pdfIn PDF document text
    • http://www.ashtralmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/16073c2615bf2f---78152303069.pdfIn PDF document text
    • https://ethiquedevelopers.com/wp-content/plugins/super-forms/uploads/php/files/f8489e7d0d7ba32d7aedd446e7910fc8/80983044031.pdfIn PDF document text
    • http://www.cerel.eu/images/wyswig_images/file/jokiwerazisigakapurimuxib.pdfIn PDF document text
    • https://gdr.co.il/wp-content/plugins/super-forms/uploads/php/files/98dd17865b26687815ae186d31a8bf50/81593282452.pdfIn PDF document text
    • http://wanyuantemple.tw/userfiles/file/jeriwotitivepu.pdfIn PDF document text
    • https://mindweave.co.uk/wp-content/plugins/super-forms/uploads/php/files/15j26u3oelslvns727hb2j4n0f/42475440905.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2b1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2B1 11044 bytes
SHA-256: e618ba93ce44a67de7fadc3ca09999ab8597a7426551c02f2ab66740b68b7582
font_01_sfnt_off00010c98.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C98 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000124aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x124AA 18040 bytes
SHA-256: f5f92512445c0bf874a85d3bc63b9e179c803d00399ed6664d4f24390c9f4a6a