Malicious PDF — malware analysis report

Static analysis result for SHA-256 54c4701e56926b85…

MALICIOUS

PDF

96.4 KB Created: 2021-06-28 15:22:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c4f4a844e43a8a7e7d615e5b1fd801b8 SHA-1: bf181fe82bf50137463d2ac2a68ea6248a84227f SHA-256: 54c4701e56926b8588cde3cf5248cdd094be3844c19ed1a52aa9949e36518851
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised WordPress upload directories, indicating a link farm designed to host malicious files. The heuristic 'SE_PAYMENT_REDIRECT_LURE' strongly suggests the document's purpose is to trick users into updating payment details by impersonating a financial institution. While no scripts were explicitly extracted, the presence of embedded URLs and the ML classifier's high confidence score point towards a malicious intent, likely involving exploitation or redirection to a phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9768

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://alvasari.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081e705bfe9d---70884839855.pdf
    • https://canvasations.com/wp-content/plugins/super-forms/uploads/php/files/fv9kor1u5oqkoauo0apb1ncb77/1963667804.pdf
    • http://alimentosldm.com/userfiles/file/mujejaxogazugofeluj.pdf
    • http://www.mywil.ch/wp-content/plugins/formcraft/file-upload/server/content/files/1608991cb4ccc5---jazebujefi.pdf
    • http://effektfilm.de/files/file/bunuwovojux.pdf
    • http://md-servicios.com/userfiles/file/lakinijibevasujifoku.pdf
    • http://vladjurnalist.ru/archive/file/31046170289.pdf
    • https://technok.cz/wp-content/plugins/super-forms/uploads/php/files/d1673ed5ee0ef6d9b88ea38f33194ecb/jaxijuvujitija.pdf
    • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/50057dec8702da68613e877cc84ac9a7/77617344754.pdf
    • https://globalazeri.az/wp-content/plugins/super-forms/uploads/php/files/p35lr52gbjq4onvecqucrtj6s3/wizajonepogukajuvumo.pdf
    • http://www.nationaalgolfcongres.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1608ff1e983e4e---97979585670.pdf
    • https://ncfouting.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ba69cfbf51f---77280803202.pdf
    • http://autoscuolavalerio.it/userfiles/files/virivolowekelezegut.pdf
    • https://gradeagroup.com/wp-content/plugins/super-forms/uploads/php/files/6ptjqt9jahu9bjtvlqr1fu66s8/jujebijode.pdf
    • https://reifenscho.de/wp-content/plugins/formcraft/file-upload/server/content/files/16084d949d8c3b---dimeretotas.pdf
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d55cdce027---49748171384.pdf
    • http://www.skup.it/wp-content/plugins/formcraft/file-upload/server/content/files/16079e00ba61b6---57932336949.pdf
    • http://gleneaglehoa.org/images/file/danobikovosanipelurufunow.pdf
    • https://jennysbooks.com/wp-content/plugins/super-forms/uploads/php/files/5f77fea6cc621bf3371674eb9a1a6c18/lonudixokugeto.pdf
    • https://purebodycare.courses/wp-content/plugins/super-forms/uploads/php/files/qc9q0g9e47lkjnrs7o138cv6ev/jojimelepetabali.pdf
    • http://adabaskimerkezi.com/upload/file/57859133386.pdf
    • http://stlnsk.ru/uploads/file/kitenilagomirubisowuzas.pdf
    • https://www.lumisolar.pe/wp-content/plugins/formcraft/file-upload/server/content/files/1607d6594e62d6---28645626115.pdf
    • http://novussiteyonetimi.com/uploads/file/nulaxukigofoxuf.pdf
    • https://www.harasportcenter.com/wp-content/plugins/super-forms/uploads/php/files/20o0fcdvmb76uovkldm660hn04/retizuxibasoxakitize.pdf
    • http://chinoboxingclub.com/clients/36032/File/77891250341.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/cv9VXjIrmdE/uplcv?utm_term=pay+it+forward+campaign
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fe33.bin
810951ac8012632083839f380c063cf2e93c32b50b2251fd0bce8e3957069ae4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE33 10816 bytes
font_01_sfnt_off00011700.bin
fd494554c7a7a2c4488382a78096c535ff133766c7221992be4f6a58596b2467		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11700 16164 bytes
font_02_sfnt_off00012c76.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C76 16792 bytes
font_03_sfnt_off00014488.bin
b2518b7141b03dbd014cecb93fad469c958d0b7da7e20a8b1b243f406aa79945		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14488 17896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.