Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd4aa996ce5f6ea9…

MALICIOUS

PDF

128.0 KB Created: 2021-06-24 23:02:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12
MD5: 188fef386038f1341f361b48a1767a14 SHA-1: 937ef47730338ab0dafbe5e016e64abac8a73d3b SHA-256: bd4aa996ce5f6ea984fe6ea9c34ffa9f655413620b2543d2efa1842d378d4704
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics and an ML classifier as malicious, with ClamAV identifying it as a phishing trojan. It contains numerous links to compromised websites, suggesting a phishing or malware distribution scheme. The document body, though heavily obfuscated, appears to be a lure related to 'pokemon xy game apk', indicating a potential scam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7790

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cructi.ru/uplcv?utm_term=pokemon+xy+game+apk PDF link annotation
    • http://countrysquirefoods.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606f023f06512---30846348046.pdfIn PDF document text
    • https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/1608138262319a---vuvife.pdfIn PDF document text
    • https://yarsan.ru/wp-content/plugins/super-forms/uploads/php/files/881bd64b0623a2fc2ff2f44844f51b6e/92961312023.pdfIn PDF document text
    • https://actor-conseil.com/files/file/26172925563.pdfIn PDF document text
    • http://elenasteele.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608cf0a21b6f2---46593116523.pdfIn PDF document text
    • http://faurerom.com/userfiles/file/24524808629.pdfIn PDF document text
    • https://humble-brag.com/wp-content/plugins/super-forms/uploads/php/files/8ip542470shk84hkok2qttktll/62082301616.pdfIn PDF document text
    • http://woonhuislift.info/wp-content/plugins/formcraft/file-upload/server/content/files/160a369e223806---pedodopativajerit.pdfIn PDF document text
    • https://dungcuruamui.com/wp-content/plugins/super-forms/uploads/php/files/vl5jfc52cn0mofbck37lf199ut/37888183301.pdfIn PDF document text
    • https://wacee.net/wp-content/plugins/formcraft/file-upload/server/content/files/16075dcf3987fc---janasoxo.pdfIn PDF document text
    • https://terravistahometeam.com/wp-content/plugins/super-forms/uploads/php/files/975376a9edb523a54dc15a20294f8147/neforawulubikabunesijed.pdfIn PDF document text
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/057edf6caee4fccdf93ddba245fcf4d5/63841617258.pdfIn PDF document text
    • https://www.budgetskemaet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160729fde14bf9---poxenewip.pdfIn PDF document text
    • https://yidinfo.net/wp-content/plugins/super-forms/uploads/php/files/6qbnrokue91kdrum3j6c96fhaj/49198654443.pdfIn PDF document text
    • https://gccpay.net/wp-content/plugins/super-forms/uploads/php/files/1fe31e18857e7c3f88349d574199f763/lurozujigopawep.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013e7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13E7E 53560 bytes
SHA-256: 8817b1881e68534dc88860108d8152d9531758f08fb85bc1b466d305e0e2d711
font_01_sfnt_off0001e1b1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E1B1 5068 bytes
SHA-256: cbb56f7bf2dfda11ffa811dd02cba542f3e5d31a4fa7abbe13ab6a6e89dc9d6b