Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a7520feb45d8223…

MALICIOUS

PDF

99.1 KB Created: 2021-07-05 14:35:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 9be2626061ac542592a9f9561226d1ca SHA-1: 5d7ac563954c3942004860ba1386774fe69c625e SHA-256: 6a7520feb45d822304be5a21d67144dc95d07f318b41d5b907dca1e1a8928854
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF document that contains a link farm pointing to various compromised WordPress sites and disposable hosting. The heuristic 'SE_PAYMENT_REDIRECT_LURE' indicates the document describes new or changed bank instructions, a common tactic in business email compromise scams. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to redirect users to phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9781

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://huntic.ru/uplcv?utm_term=what+does+the+term+op+mean
    • https://mkting.com.co/wp-content/plugins/super-forms/uploads/php/files/91a14b8a8e7614d78c2d1b2250112a2d/56735976109.pdf
    • http://manajrgvaaradhi.com/cms-uploads/files/35904727641.pdf
    • https://asiaviews.org/wp-content/plugins/super-forms/uploads/php/files/gj5hu3o689r9sjj27913ddvcl2/jexuzuna.pdf
    • http://southportrubbish.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ae0b936521f---93245237671.pdf
    • http://terapeutickemasaze.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16079ae34eaf41---vagagoxikemu.pdf
    • https://www.lindopoint.it/wp-content/plugins/super-forms/uploads/php/files/3f4cb465fe0bb2cb7a80fd8de483112d/11801970284.pdf
    • http://www.huntsvillepr.com/files/files/59461116950.pdf
    • http://www.klpreschool.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607556c0f1735---simijulerekefezudimixopas.pdf
    • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/ed878d2a9e2d2f10300c0e094d7274e9/mukogedepozomudogadi.pdf
    • https://www.hdontheroadnapoli.it/wp-content/plugins/formcraft/file-upload/server/content/files/1607585e2d0d2c---binasotodonesinovifajiwil.pdf
    • http://plenar.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1608f6cd65581d---79602353619.pdf
    • http://abogarestudio.com/userfiles/file/kanusugalasitavopab.pdf
    • https://2greenchicks.com/wp-content/plugins/super-forms/uploads/php/files/4736fc06e0f23b24ce9eb1c89de41e52/17076100853.pdf
    • https://htfcompact.com/wp-content/plugins/super-forms/uploads/php/files/16ca760647e62fecb2ca5f6dd01280dc/71792860567.pdf
    • http://snookerfootball.eu/wp-content/plugins/formcraft/file-upload/server/content/files/16071a561e9651---meposa.pdf
    • http://www.idenet.net/wp-content/plugins/formcraft/file-upload/server/content/files/160db0ad3552d3---649911767.pdf
    • https://www.accidentinjurylascruces.com/wp-content/plugins/super-forms/uploads/php/files/ks8flnjrrb7rn8gof99rs8ic3a/86392954324.pdf
    • http://www.sunargrup.com.tr/wp-content/plugins/super-forms/uploads/php/files/hvgs0u3k7ih8tbdodnhcn0e9p6/kipebeserid.pdf
    • http://lideparts.com/userfiles/file/1625080034.pdf
    • http://amandatravel.com/userfiles/file/gosakubufaseres.pdf
    • http://www.nanodrywash.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c9f60f3248c---jogorakiter.pdf
    • https://notofthisgalaxy.com/wp-content/plugins/super-forms/uploads/php/files/5hsuh7jk5mjpla033jd2886a82/50674199669.pdf
    • https://alfa-pechati.ru/wp-content/plugins/super-forms/uploads/php/files/6358645c444da6374e07fb5c1bf9ca43/segabeninesinorefuwabotim.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00016009.bin
d9f8577b9818d26f18591da8dc7e532ed9c2351178bdbc3d90c3f247a74e81db		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16009 18536 bytes
font_00_sfnt_off0000ec2e.bin
261dd4f62e6b189f99b9f5ad80a9a31e931a69e0fac6be61726f30d434e8c835		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC2E 10512 bytes
font_01_sfnt_off000103f1.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x103F1 16792 bytes
font_02_sfnt_off00011c03.bin
bc288b9a68035d08bc84b79f3bf863b77b4275287540323b7185b90ed0a99565		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C03 22112 bytes
font_03_sfnt_off0001528f.bin
a8161c2f5ba9235eb51b4fcc43b6bb219725019365cb8d38f9ec25dfe5ce54ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1528F 3464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.