Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6edda3df99bd32f…

MALICIOUS

PDF

70.4 KB Created: 2021-04-29 01:52:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7583a4f5ed22797ee90c7dd2e361e974 SHA-1: 6fe9bc7d1e78a1c1facb26110db2ef99f42aee4f SHA-256: a6edda3df99bd32fcf8584f78337639e44391cf0578d018bab49585a956fdd69
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF was flagged by ML and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links pointing to compromised WordPress sites, likely intended to host and distribute further malicious content. The presence of embedded URLs and the nature of the heuristics suggest an attempt to trick the user into downloading a payload disguised as a PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16078a87fa15ab---babazesimo.pdf
    • https://www.verpoort-bouw.be/wp-content/plugins/formcraft/file-upload/server/content/files/16073f62162548---sasogomijugekevab.pdf
    • http://stroynerud-sm.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1607306f1ac8fd---95023609058.pdf
    • https://www.alarisusallc.com/wp-content/plugins/super-forms/uploads/php/files/659ff32edb639fd6dc23b3f82780d3ed/mexebisofelavegidox.pdf
    • https://www.dolphinrfid.com/wp-content/plugins/formcraft/file-upload/server/content/files/160879c92c521f---jadexukogusiz.pdf
    • https://www.andyselfstorage.co.uk/wp-content/plugins/super-forms/uploads/php/files/3iajvk9p0trq8dmn1j0f549q8n/41186837605.pdf
    • https://beaufortbond.com/wp-content/plugins/super-forms/uploads/php/files/cfeec86ddbcb318f2dd474ee2d6e25c8/86024893016.pdf
    • https://medgarlci.com/wp-content/plugins/super-forms/uploads/php/files/2e49eec96e4daee388adbc62494e596f/xumebekilam.pdf
    • https://glass-haus.ru/wp-content/plugins/super-forms/uploads/php/files/9a390d27ae654c00cc5b05a79e9eb96e/debumogalatuz.pdf
    • https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/b6b5306b54a0a5946f62604d73463dd1/kivamewexajuxozojifozaliz.pdf
    • http://caacoding.net/wp-content/plugins/formcraft/file-upload/server/content/files/160784668b4c5a---82056913998.pdf
    • http://juniorsmagazine.com/wp-content/plugins/formcraft/file-upload/server/content/files/160810e14097dc---bifofuwev.pdf
    • https://www.abaco-engineering.it/wp-content/plugins/formcraft/file-upload/server/content/files/16078fdab4e12c---guxevavopinanowuw.pdf
    • https://graffitipaintstudio.com/wp-content/plugins/super-forms/uploads/php/files/343200761806a60fc4a125e64b728191/nanugamepuvosetunogilav.pdf
    • https://www.hdcorp.com.br/wp-content/plugins/super-forms/uploads/php/files/qonpcn5jjddkeujnl6h95gamah/58142839911.pdf
    • http://alternativefitness.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16084f4dfd63d2---14759925011.pdf
    • https://www.ideaklinik.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071b42e588bf---56697288361.pdf
    • http://www.drop-lok.com/wp-content/plugins/formcraft/file-upload/server/content/files/160702d3987b14---4743216243.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=string+to+int+in+android+studio
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d457.bin
923523bde16df295a3497e4e322c90cd7c8ef80b2dce84ee82f47cb96763d30a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD457 5064 bytes
font_01_sfnt_off0000e599.bin
d4eccf1837c539dbee61efa0f45d9c81b66391e06ea5d6ec2f6e29be16490a89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE599 11452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.