Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5e0f51ca77834e4…

MALICIOUS

PDF

92.2 KB Created: 2021-06-18 04:50:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 7b28caddf115d0f482367dba330b2929 SHA-1: 2f0f09dc89603353f43648411f745a6145396354 SHA-256: c5e0f51ca77834e42bcac92489b32c5bc63921bde02ee46d47419d36d9b7960f
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan payload. The presence of a 'Password-protected archive handoff' heuristic suggests the document is designed to trick the user into believing they need a password to access an archive, which likely contains the actual malware. The embedded URLs point to compromised WordPress sites, likely hosting the malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://astoriareiki.com/wp-content/plugins/super-forms/uploads/php/files/1f60c8fa6e62c06327425301aea6f7b3/tajunusasugupupazaluwatu.pdf In PDF document text
    • https://www.properties-thassos.com/wp-content/plugins/super-forms/uploads/php/files/jck29nqjgrf36hsggd3jvfp7r7/xemuzanajuka.pdfIn PDF document text
    • https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/l0ahklcp0eibgseokpur7hv1ts/laduna.pdfIn PDF document text
    • http://www.thelawchamber.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094c708ccd48---20242470086.pdfIn PDF document text
    • https://protechlighting.com/wp-content/plugins/super-forms/uploads/php/files/d9e98116f2272eb8ba702e9abc1220ce/lekazuzutarexa.pdfIn PDF document text
    • https://advancedcheckcashadvance.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608167989f050---21467382608.pdfIn PDF document text
    • https://praward.tw/wp-content/plugins/super-forms/uploads/php/files/ebf18920358103d61ec88b7298244213/91450136221.pdfIn PDF document text
    • https://smarttactic.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160ac6de98a768---datozafanaxujinigajojix.pdfIn PDF document text
    • http://plenaadoracao.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607c452b2e251---negijavepu.pdfIn PDF document text
    • https://www.dolphinrfid.com/wp-content/plugins/formcraft/file-upload/server/content/files/160915fe33d1ab---98311228687.pdfIn PDF document text
    • https://forcechicago.com/wp-content/plugins/super-forms/uploads/php/files/a465301b856fb344265f3384f8193bca/nevujivuwowobatimi.pdfIn PDF document text
    • https://gaseg.com/wp-content/plugins/super-forms/uploads/php/files/stobahkenaqcbp3qpfiffd8dck/37091902916.pdfIn PDF document text
    • https://allianceflooring.net/wp-content/plugins/super-forms/uploads/php/files/e49b8b26665191263e42a1418e687b56/joreritukifawa.pdfIn PDF document text
    • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/81da61c6f28c300b67d666c1dc689b85/wuwivujuz.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=dragon+ball+shin+budokai+5+pspPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e790.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE790 5080 bytes
SHA-256: 811493479fe3b885a9ae2ae8206d2453c3f8361241ea0ad746910205a47bcb95
font_01_sfnt_off0000f948.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF948 5548 bytes
SHA-256: 42c8612aed76b4c4c0983b903903eabd6cffe6ea91a49510769501ed15ecfc39
font_02_sfnt_off00010c14.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C14 1652 bytes
SHA-256: e16f2500e2ed5a895957d88e0b242163be581de1032e67c59e0292619b6f6274
font_03_sfnt_off00011463.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11463 13352 bytes
SHA-256: 93b423e83874bc849e20034f3cdcb7d82dfcf5d5c31cb0a65f78a6331f87fa66
font_04_sfnt_off00013eed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13EED 16036 bytes
SHA-256: 354dce64f07f3d7acdf6a04edf763950ffbfec4edcbb4bfe17b65a83544077bb
font_05_sfnt_off00015391.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15391 3868 bytes
SHA-256: cb3cadf647cee6c5136e8f1054fe36a1e375c9f158bc220caf7282128fa8b7cc

Open this report in the interactive analyzer, or submit your own file for analysis.