Malicious PDF — malware analysis report

Static analysis result for SHA-256 a4bd19465944ca0a…

MALICIOUS

PDF

71.1 KB Created: 2021-05-23 19:58:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: be4e358ec35a2b387dd6a51c0791efa6 SHA-1: 747fe3d94d2fd00fdfff8e640fc7134fb29b3a05 SHA-256: a4bd19465944ca0ada55cb2ebf054b5a253281bc2d6eca8d29e95c5922a89f39
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged by multiple heuristics, including a critical ClamAV detection and an ML classifier, indicating malicious intent. It contains a link farm pointing to compromised WordPress upload directories, likely serving as a lure for users to download software. The presence of embedded URLs and the nature of the heuristics suggest an attempt to distribute malware or facilitate phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rethabise.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16083788fd55b4---25487221247.pdf
    • http://indiebookoftheday.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1f670a28d0---duwataxonawezemazojeb.pdf
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/quntats6e3e2hbq88le5data36/29001760545.pdf
    • https://cashofferoregon.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607858e6cc3f1---3293894626.pdf
    • https://yourlightingbrand.com/wp-content/plugins/super-forms/uploads/php/files/b4b7e3effebd7f283b264c923ae1ceb7/tagil.pdf
    • https://saraelv.no/wp-content/plugins/formcraft/file-upload/server/content/files/1606c85b726253---90166105161.pdf
    • https://nhaban24h.com.vn/wp-content/plugins/super-forms/uploads/php/files/hp7pkgkmrc61npr1k0u13p28nh/54133646424.pdf
    • https://simovi.mx/wp-content/plugins/formcraft/file-upload/server/content/files/160a83fd415e3f---fovukaluvojimuf.pdf
    • http://www.justgiveahand.org/wp-content/plugins/formcraft/file-upload/server/content/files/16098c5bf0eba3---valozuzulexofitopabisi.pdf
    • https://grand-forge.ru/wp-content/plugins/super-forms/uploads/php/files/a7ed994083356691ee4b866ad25c2d0e/rawetipalinu.pdf
    • http://imagespa.mx/wp-content/plugins/formcraft/file-upload/server/content/files/1608671360ee53---83061172878.pdf
    • http://accessiblevehicleservices.com/userfiles/file/70467911492.pdf
    • https://xn--64-mlcufjjaii0l.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/5ba45f65d2742638f4f8ec8a37bc00d0/pubebifi.pdf
    • https://bleikss.com/userfiles/file/35668507205.pdf
    • https://callhfelectric.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607a7bc6c0b7e---65016995070.pdf
    • http://grani-tonkogo-mira.ru/wp-content/plugins/super-forms/uploads/php/files/58241ca0b9823b1c6d5040a270440c30/10416156886.pdf
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/43c6ce96c4a587fc6ebe9399dc4d8117/kelike.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/PmAiG5ZyT-k/uplcv?utm_term=showbox+apk+4.93+download+2018
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d524.bin
0467438e3910f0751736936cb5428cab00e8ced46da80b4a105d1900ff3462a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD524 6200 bytes
font_01_sfnt_off0000ea58.bin
780d98c2c2f12867398bd33ce5a2eb916b2137dabebe39e0c6bca5a20b82e0a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA58 10884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.