Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3c6988cfcbce9d4…

MALICIOUS

PDF

98.3 KB Created: 2021-06-28 07:00:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 8d2632bbb37520721ba5ab18ad5601bf SHA-1: 916f650801ad6d79cb9438ddb7913ec731410145 SHA-256: a3c6988cfcbce9d41dbd906aeaa63ba3c43e566d9fb7f1fb6220744f5060a89f
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains numerous links to external websites, many of which appear to be hosted on compromised WordPress sites or disposable domains, suggesting a link farm for phishing or malware distribution. The 'SE_ADVANCE_FEE_SCAM_LURE' heuristic strongly indicates the document's content is designed to deceive users into believing they are entitled to a prize or funds, requiring a fee for delivery. The ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9800

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://krisoc.ru/uplcv?utm_term=smackdown+vs+raw+2011+psp+controls+guide
    • http://dienvietbac.com/uploads/files/binoligumadomesosi.pdf
    • http://vasvaripalmuzeum.hu/upload/file/xivetoborupojimomijot.pdf
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/45ce69139e58683fe0a7434d2bd34dbb/ropevozumeboworovopifobe.pdf
    • http://akinmedikal.com/uploads/file/gesetakekive.pdf
    • https://nationalcardsolutions.com/wp-content/plugins/formcraft/file-upload/server/content/files/160825ad28051c---pikufaxajatotel.pdf
    • https://asthasupermarket.com/userfiles/file/6299896119.pdf
    • http://www.rolstoellift.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1319f7b475---28673660280.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/160952988512c4---xefol.pdf
    • http://deryalvincotokurtarma.com/userfiles/file/53697961501.pdf
    • https://markzone.az/wp-content/plugins/super-forms/uploads/php/files/2qco1rqoauf0rqtj6joahc0s9t/bofavovedazenu.pdf
    • http://www.ponderosafestival.com/wp-content/plugins/formcraft/file-upload/server/content/files/160adab7636459---26635872965.pdf
    • http://www.maoles.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609b4cbcc8c1a---64086591884.pdf
    • http://baschin-heizung.com/meineBilderAlbertGrundschule/file/nujiwumutotemoket.pdf
    • http://standardamulet.com/files/files/dovozitotafudonik.pdf
    • https://akdenizokullari.k12.tr/wp-content/plugins/super-forms/uploads/php/files/vb453g0h2rgbcabd3fb6qhmn08/vuledef.pdf
    • https://www.scilights.com/wp-content/plugins/super-forms/uploads/php/files/6fc3313b3bf292cafd59a70c917f77f8/21293659443.pdf
    • https://emergent-partners.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c29c8f32361---kazekoz.pdf
    • http://micronforgacsolo.hu/UserFiles/file/9559896045.pdf
    • http://panziofabian.hu/fck_kepek/53931132040.pdf
    • http://inlikeflintlogistics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160801a71b8aaf---36775786468.pdf
    • https://bistakalikotenetwork.com/userfiles/file/dewuriku.pdf
    • http://www.nandomoraes.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609dd9c6dcfc5---jakulojabaz.pdf
    • http://retroldn.com/userfiles/file/62240108173.pdf
    • http://socialbomjesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c40d9addaa5---vifunewolokomerorojokebo.pdf
    • http://www.holderit.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d6c8bf6749d---17692457106.pdf
    • http://111-orte.de/testarea/cwsCMSlight/media/files/nuluros.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011661.bin
376504f34e77f896fb0df7e5da962866bc9a6b741a946c576bcd6d5c8f5801b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11661 18624 bytes
font_01_sfnt_off00014651.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14651 16792 bytes
font_02_sfnt_off00015e68.bin
defbc6119272b7cc3b05a0fab9c14e04378178848dd03b07c463a17b256c38ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15E68 11572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.