Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0305eb186ba9587…

MALICIOUS

PDF

88.7 KB Created: 2021-07-25 18:58:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: f3d1c961e06b881d2b7e5bbb6f44c551 SHA-1: 2ba17729edfa26f2d43166ad01798aea8ee0fab9 SHA-256: a0305eb186ba9587fdae6f169d2490f95057d8611b5ea1146f15bd1b1e2d59de
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by ML classifiers and ClamAV as malicious, with heuristics indicating it is a link farm pointing to compromised WordPress uploads and potentially a phishing lure. The embedded URLs suggest an attempt to redirect the user to download further malicious content, likely a second-stage payload. The document's structure and the nature of the URLs indicate a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.vigo.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16070bd21ae4eb---xupibenafalamitisiromevo.pdf
    • http://optimus.org.au/wp-content/plugins/formcraft/file-upload/server/content/files/160b813e3ce92c---75246137384.pdf
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ac4ae929c2f---sijigupevunexev.pdf
    • http://katyababash.com/images/uploads/file/giledutijamagiserepurapof.pdf
    • https://sunwayhk.com/louis/STARKGROUP/ckfinder/userfiles/files/24222813849.pdf
    • https://alkhairi.co.uk/wp-content/plugins/super-forms/uploads/php/files/71c8b7496c29a937b6d29e40ed44f212/gugex.pdf
    • https://psychotherapie-dr-albrecht.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607af56521bcb---wozefojeju.pdf
    • http://asijskepotraviny.cz/files/file/nefula.pdf
    • http://houselandia.ru/files/vixabig.pdf
    • http://curry-box-deluxe.de/userfiles/file/4985189406.pdf
    • https://www.audifonosdoshoydos.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087e722f2c07---gimeninetoxufokumojumuxiw.pdf
    • https://observatoire-omic.org/documents/file/47372079335.pdf
    • https://songhong.info/userfiles/file/rixaxafejiza.pdf
    • http://orkoien.com/userfiles/files/sepupefina.pdf
    • http://www.cenlajobinator.com/siteuploads/editorimg/file/basorepuvulenexaka.pdf
    • http://kingalbertltd.com/uploadedfiles/file/77847052727.pdf
    • http://sequirk.ie/userfiles/file/63248844219.pdf
    • https://bestmiamiturf.com/wp-content/plugins/super-forms/uploads/php/files/db29b003b67ce536e89ad7297dd88b11/nikolelibivedalafizo.pdf
    • http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160a8ce9f4cea0---sosazo.pdf
    • http://nguoigiupviec99.com/webroot/img/files/jotivorajigo.pdf
    • https://loan-financial.com/wp-content/plugins/super-forms/uploads/php/files/9e0db921a6c1a7c03dcd315965d2c2f0/35424021923.pdf
    • http://tipsclubcr.com/campannas/file/vejibiz.pdf
    • https://bursaceviritercume.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d8c37f3a70---jutedetebugizoxezaxire.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/LPIa9PGmDLg/uplcv?utm_term=formato+del+pago+de+tenencia+2021+estado+de+mexico
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e622.bin
4d8dfad2a2b8f8e5315d19e1f2ba01244882b0a3191f6ea19996ffae23a2f9a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE622 18700 bytes
font_01_sfnt_off00011686.bin
40cc6d25cac7606e3ab06d1a1a708f278e2148b894a763835259f02f2c43678e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11686 11228 bytes
font_02_sfnt_off000130aa.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x130AA 16792 bytes
font_03_sfnt_off000148b7.bin
5221cc56e96b657ff7c15f49bf1fbf1b5222e15cd7ffd769ce953162a3e53832		 pdf-font-stream PDF embedded font (sfnt) at offset 0x148B7 2064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.