Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad3a51c2989bff71…

MALICIOUS

PDF

92.5 KB Created: 2021-06-26 18:15:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: e09b92bc873c25208bd654966f8be4a0 SHA-1: 37556d542f23623a4b5709931dc52b8663421ffa SHA-256: ad3a51c2989bff7170c6803e27a04caec9b5cc629cb01d1017334b9fdfb14fbf
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document exhibits multiple indicators of malicious intent, including a high ML classification score and ClamAV detection as 'Pdf.Phishing.Trojan'. It contains numerous links to external sites, some of which are hosted on compromised WordPress installations, suggesting a phishing or malware distribution scheme. The presence of a 'download button' lure and a 'password-protected archive' hint further supports a social engineering attack aimed at tricking users into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9786

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://drafthe.ru/uplcv?utm_term=how+to+edit+secured+pdf+file+in+acrobat+pro
    • http://xn--80aagkbrca3apkgkee0a1bi.xn--p1ai/ckfinder/userfiles/files/55203521560.pdf
    • http://gf-location.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16072b67b57be2---tunak.pdf
    • http://mevlanaasm.com/resimler/files/11687314566.pdf
    • http://neodev.space/wp-content/plugins/formcraft/file-upload/server/content/files/1609c240b35956---dalidefobedowe.pdf
    • http://aberdeeneyes.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608f33695a46c---31985949296.pdf
    • https://uaqbakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608768fb08fa7---lilinizirit.pdf
    • https://www.couleurs-et-jardin.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160b40dbe337ff---99544763138.pdf
    • http://modnyi-buket.ru/uploads/files/67840902290.pdf
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/4d2e5e53568ebed678bfbaeab3c4932a/41643067689.pdf
    • https://www.horisunmauritius.com/wp-content/plugins/super-forms/uploads/php/files/2d67c1edff9cafd6d30e1a0ff3e08fc3/loxazofepumuzakatadositof.pdf
    • https://www.golddustdental.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab7c2778f3c---xutanaz.pdf
    • https://akarchlight.com/wp-content/plugins/super-forms/uploads/php/files/60e93d1f4942e416ac9d6f2a93d07c56/76437782167.pdf
    • http://smartmedicaleg.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a09de2ef240---dafiz.pdf
    • http://la-roofers.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a0b9bfa3d80---14232327731.pdf
    • http://3dsami.org/uploadfilefiles/51958921119.pdf
    • http://hoaisonland.vn/upload/files/92571283591.pdf
    • http://www.nandomoraes.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b90a2c6a9f5---zitamatizidigalokato.pdf
    • http://wypelnienia.kratex.pl/wp-content/plugins/super-forms/uploads/php/files/54464daac0fba3b7ca702f21bfa0ce62/78330869622.pdf
    • http://interface-referencement.com/userfiles/file/devaxopajababu.pdf
    • http://xn----8sbpvg0afdbe.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/qtnr3ldrvrsp1q38bbo7ev80n5/wanifu.pdf
    • http://www.zulfugar.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a4190cc2363---58585646130.pdf
    • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/160709cf38d552---50250129561.pdf
    • http://fotografoenricogiampieri.it/userfiles/files/nobas.pdf
    • https://www.heainc.com/wp-content/plugins/formcraft/file-upload/server/content/files/160835fad69a97---zekabubemevig.pdf
    • https://archltginc.com/wp-content/plugins/super-forms/uploads/php/files/6a6ecc8bcefed0a362a38441e76f696e/4955476675.pdf
    • http://s292376414.onlinehome.fr/datas/imgmail/file/48063405949.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f073.bin
4b748ac6a3870275b9f4fb939e76877de896253af2e205b080ee89be6a9ec012		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF073 10928 bytes
font_01_sfnt_off000109ab.bin
a013ce2342554bbd70a9f85285a6053b67e9b25eaba0dd22223cc179b1b1ea16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x109AB 16064 bytes
font_02_sfnt_off00011ebf.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EBF 16792 bytes
font_03_sfnt_off000136d1.bin
b2b311a7c54fffb90a1f0c9a5e3156e706ebe0e4bb6dc0695d7c025902837ecd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x136D1 17364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.