Malicious PDF — malware analysis report

Static analysis result for SHA-256 90f64113e7e57d0a…

MALICIOUS

PDF

85.0 KB Created: 2021-07-10 06:51:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-04
MD5: 6140aad00bf69dbf6d0beea0747ed788 SHA-1: 5a144b292aebd992b7d4ad5a487426cf6af72ede SHA-256: 90f64113e7e57d0a5e6a0fa69517a9e92a2689ddf2b4bf1517c6be8d0ff7a0fa
244 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document exhibits multiple indicators of malicious intent, including a high ML classification score and ClamAV detection as a phishing trojan. The document employs social engineering tactics by presenting a fake download button and a QR code lure, aiming to trick users into installing a browser extension or update. Several URLs point to compromised WordPress sites and disposable hosting, suggesting a link farm designed to distribute malware or lead to phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 10

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://asupuro.com/upload/save_image/files/94597523277.pdf In PDF document text
    • http://xycrusher.com/d/files/wagazigidatatazofokavu.pdfIn PDF document text
    • https://hylyt.co/wp-content/plugins/super-forms/uploads/php/files/76ebffdbabb5b4e533f3220094223093/xugalipelodinikon.pdfIn PDF document text
    • https://vieclambaohiem24h.com/upload/files/77300267762.pdfIn PDF document text
    • http://albino-pitti.com/pub_img/file/nuvudubomiwirobuzomepages.pdfIn PDF document text
    • https://somogyplusz.hu/files/jojizure.pdfIn PDF document text
    • https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/16075d9e928953---tigugefedu.pdfIn PDF document text
    • http://ineke-ott.nl/keramiek-beelden-imagesfile/jarelixururasamozulebogut.pdfIn PDF document text
    • http://www.britocunhaadvocacia.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1606fc64ca5a04---bodedex.pdfIn PDF document text
    • http://www.norestim.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160db42544962c---5793932981.pdfIn PDF document text
    • http://ccsl.asia/files/12285552888.pdfIn PDF document text
    • http://granite1962.com/clients/869125/File/3503542919.pdfIn PDF document text
    • https://sandalyecenneti.com/wp-content/plugins/super-forms/uploads/php/files/ml6pqk6ecl7ph2hqdtqen6qjv5/pinatasozosavas.pdfIn PDF document text
    • http://struttur-arch.it/userfiles/files/xekuladituxuniv.pdfIn PDF document text
    • http://peaceinsrilanka.lk/userfiles/file/76977377102.pdfIn PDF document text
    • http://www.reroofingbrisbaneqld.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1607c8f438239d---ririxikas.pdfIn PDF document text
    • http://79.170.40.182/boothtastic.com/wp-content/plugins/formcraft/file-upload/server/content/files/160798782e0f8f---kogagaterodagubuzosuweza.pdfPDF link annotation
    • https://xn--22ck6bdp5cach0mc23a.com/ckfinder/userfiles/files/30415103137.pdfIn PDF document text
    • http://cleannshieldflorida.com/wp-content/plugins/super-forms/uploads/php/files/a9b811f2a56c5bd3e6ac366cd1082a24/vipumekimuzizipuwof.pdfIn PDF document text
    • http://pebyte.com/wp-content/plugins/super-forms/uploads/php/files/dtoclmhkqa2fsk1l5oc2niht7b/4405935813.pdfIn PDF document text
    • http://principessavencanice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f4bd8a6db0---figupawimenomu.pdfIn PDF document text
    • https://www.thecandystoresudbury.com/wp-content/plugins/super-forms/uploads/php/files/q52f2essejlttqqu4ist89si51/kovinasusakivodatudiguk.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/DOqCt-cVA4I/uplcv?utm_term=how+to+get+fortnite+on+chromebook+2020PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8d6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE8D6 10956 bytes
SHA-256: 8d2edef159af1f96d92bd621f852ea94c91c37610e73c59ddd64f135ff689180
font_01_sfnt_off00010219.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10219 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00011a2b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A2B 17088 bytes
SHA-256: 1362979781ffcae63e9feb34939d1d78e8ce4ca370502330624bc6cdab215ae8

Open this report in the interactive analyzer, or submit your own file for analysis.