Malicious PDF — malware analysis report

Static analysis result for SHA-256 78f2c7aa8b43edc6…

MALICIOUS

PDF

115.3 KB Created: 2021-06-26 07:13:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 1ba84f5d9b28ee1f7394f1b1059a4ec3 SHA-1: 56e98d99cc00c1dbc4ecd15603edcf94819ebe47 SHA-256: 78f2c7aa8b43edc6fff99861f27c8207a4c977f94075b321c18143b9507bf586
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document employs a social engineering lure, instructing the user to install a browser extension or update to view content, which is a common tactic for credential harvesting or malware delivery. The presence of numerous links to compromised CMS uploads and disposable hosting, coupled with a high ML classifier score and ClamAV detection, strongly indicates malicious intent. While no scripts were directly extracted, the overall structure and heuristic firings suggest it acts as a dropper or phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=adobe+pdf+specifications
    • https://area34.info/wp-content/plugins/super-forms/uploads/php/files/66ej1u7c3aai6u4kf2dtcimfi5/bazaterijevomebozokimuva.pdf
    • http://0-50.ru/userfiles/file/65077229686.pdf
    • http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e1844e3a58---letunuliwevamojibegawu.pdf
    • https://srp-galabau-rostock.de/wp-content/plugins/super-forms/uploads/php/files/22chs5nvf50c2cqt1pmdlv17q4/masazegitajugiribamaz.pdf
    • http://nuyewrecruitment.com/wp-content/plugins/super-forms/uploads/php/files/3a882d8857655202790429508c854e83/zusixuxodopixa.pdf
    • https://slaterlighting.com/wp-content/plugins/super-forms/uploads/php/files/6101dbccf8389c5cdf939fbedaa3f8d9/nurogepesugenejobuwajotux.pdf
    • http://beautifulmoda.com/userfiles/files/69719133456.pdf
    • http://arc-en-cielproduce.com/ckfinder/userfiles/files/mujoriwuparebuzuzubiso.pdf
    • https://dsodrecital.com/wp-content/plugins/formcraft/file-upload/server/content/files/160beb0ae35ffd---63255210004.pdf
    • http://www.advokat.com/app/webroot/img/fck/file/69711055561.pdf
    • http://lifestyleufa.ru/wp-content/plugins/super-forms/uploads/php/files/bf05e42fed630b963ae808cbb1364081/55278177429.pdf
    • http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/5ag7c7vvg9pdsllcudo64uhcr7/logugunodunepakeneze.pdf
    • https://mannerfeltdesignteam.se/ckfinder/userfiles/files/fafikifilalozukonidofizo.pdf
    • https://noddy.nu/images/file/75900202596.pdf
    • https://earthideasawnings.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b0815f068ec---pitififukuxubiguni.pdf
    • http://www.jimenez-casquet.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f19bb36bef---39198435565.pdf
    • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a20761f1b4d---wosofezepulitapowaru.pdf
    • http://triumphtoday.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607a6e5366b11---382272843.pdf
    • https://marmarases.com/upload/ckfinder/files/deziragapojazofetepen.pdf
    • http://bascobrunswick.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608bc507df81b---torapojewiroxosotipud.pdf
    • https://rosemonttherapy.health/wp-content/plugins/super-forms/uploads/php/files/oj701mg70an1keemgo78gqegi5/51203264310.pdf
    • https://www.frankcapassoandsons.com/wp-content/plugins/formcraft/file-upload/server/content/files/160839ce103f5e---xitufopepuro.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001603b.bin
aac92831e06989f116760b56fba2189d0f4cdb1b7aa71349fe5ebbdfc36acc5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1603B 18308 bytes
font_01_sfnt_off00019013.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19013 16792 bytes
font_02_sfnt_off0001a82a.bin
93a9fbc5cf3a08d7c3b433d93538e04862dd298febd1a1b2afb7f1f5e1b05fc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A82A 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.