Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4253f600475202a…

MALICIOUS

PDF

83.0 KB Created: 2021-08-11 13:49:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 0aa6aeca8aa48926304dee30895edf8a SHA-1: 927421977c81f5787f21a5ee413d2290c99fd1df SHA-256: a4253f600475202ad066049caa3886147a1191a92f2fa2be9a5815e163a0dd30
236 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1534 Internal Spearphishing T1059.007 JavaScript T1204.002 Malicious Link

This PDF document is identified as malicious by ClamAV and a machine learning classifier. It employs a brand-impersonation credential phishing lure, specifically targeting iCloud users, and directs them to the URL `https://infrive.ru/uplcv?utm_term=how+to+save+bank+statement+as+pdf+on+ipad`. The document also contains numerous links to compromised CMS upload storage and disposable hosting, suggesting a link farm designed to distribute malicious content or host phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://infrive.ru/uplcv?utm_term=how+to+save+bank+statement+as+pdf+on+ipad.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=how+to+save+bank+statement+as+pdf+on+ipad PDF link annotation
    • https://aftaplan.com/works/peepsparty/html/upload_files/file/73654418791.pdfIn PDF document text
    • https://www.apartamentselsllacs.com/wp-content/plugins/super-forms/uploads/php/files/ttvisbro6o2veung861olj25bk/sarosalovimijejixarapux.pdfIn PDF document text
    • https://aronabritcan.com/userfiles/file/junuluguse.pdfIn PDF document text
    • https://event-connections.net/wp-content/plugins/formcraft/file-upload/server/content/files/16082b498463eb---60189482037.pdfIn PDF document text
    • https://luxmarketing.agency/wp-content/plugins/super-forms/uploads/php/files/elmfeue84ndkqosaintamvld2a/jatan.pdfIn PDF document text
    • https://aquafilling.com/userfiles/file/notezixoralizivubom.pdfIn PDF document text
    • https://krassimirtaskov.com/userfiles/files/6805233014.pdfIn PDF document text
    • https://centrumschoolka.pl/photos/file/vobawo.pdfIn PDF document text
    • https://itexpertdog.com/upload/files/sawibimonatebaruliniwipeg.pdfIn PDF document text
    • https://www.landalastadservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/160768cd3a5d83---90733723229.pdfIn PDF document text
    • http://leinerpakgelatine.com/survey/userfiles/files/10352051693.pdfIn PDF document text
    • http://lavera.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609aa0fc3084f---20104913905.pdfIn PDF document text
    • https://kayakbranson.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7f84223e63---xefawoposur.pdfIn PDF document text
    • http://aihyang.com/userfiles/file/56067265494.pdfIn PDF document text
    • https://3dreamstudios.com/wp-content/plugins/super-forms/uploads/php/files/174a326e2ce8f64eb4a4ca40ba09543e/4699772783.pdfIn PDF document text
    • https://vickers-electronics.co.uk/wp-content/plugins/super-forms/uploads/php/files/bc0614e8ce7faf8abff28692bf60ac9a/5287893351.pdfIn PDF document text
    • http://msci.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/1608e3ad494fa9---dekuwozi.pdfIn PDF document text
    • http://lecieldesandes.fr/ckfinder/userfiles/files/61377775774.pdfIn PDF document text
    • https://esteticarcare.com/wp-content/plugins/super-forms/uploads/php/files/575b5b97f5d225c1226a0e8a73e9b279/48155866253.pdfIn PDF document text
    • https://ventana-sur.com/wp-content/plugins/formcraft/file-upload/server/content/files/16112d876a2868.pdfIn PDF document text
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fb4aff148c---7075860172.pdfIn PDF document text
    • http://casaperferiesantamariagoretti.com/writable/public/userfiles/file/nojon.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e291.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE291 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000faa3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFAA3 16588 bytes
SHA-256: dc021d84128c521e792354a811cc306ea2635394ddc9df90dda532ddacf2a9dc
font_02_sfnt_off0001259a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1259A 10888 bytes
SHA-256: e4a45a1488f5e93b21cd8294020b77bf10bac6851b4444ec1dd10dd3094a2c1a