Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7ef2fe5956f24c2…

MALICIOUS

PDF

72.1 KB Created: 2021-05-28 03:54:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a18fb72de47757f53903a62736eef98a SHA-1: 1a6a9a42baedae67f66ad7aff0d7df038da6e46f SHA-256: c7ef2fe5956f24c2e74953121f7844b5dc9452fab09a72db9000d3f0f24510ba
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains multiple embedded URLs, many of which point to compromised WordPress sites, suggesting a phishing or malware distribution attempt. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely instructs the user to open a password-protected archive, a common tactic to bypass gateway security. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9948

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garglob.ru/uplcv?utm_term=how+to+hack+blockman+go+mattsun+account
    • http://porpora.biz/imagenes/imagenes_contenidos/%5C/perapipawumalonubiteb.pdf
    • https://sgpropertylawyers.com/wp-content/plugins/super-forms/uploads/php/files/b2a4d890211f404f20cfa953aedc858f/zimumedaxegusozi.pdf
    • http://english-island.pl/wp-content/plugins/super-forms/uploads/php/files/8uevcnsl5e5vp5nvd1g7lgjed5/nabotulogalilajiros.pdf
    • https://www.teppiche-waschen-hamburg.de/wp-content/plugins/formcraft/file-upload/server/content/files/160751cf57a9ec---loxemufi.pdf
    • http://www.rkcomdesignservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16078ca3a9c7dd---dezaxe.pdf
    • https://www.sharpeningfactory.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076298f42164---foxam.pdf
    • http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160751b12cda2d---16630492389.pdf
    • https://regenerativetherapyforpain.com/wp-content/plugins/super-forms/uploads/php/files/81f9acb5c633ef326274d04588d23d78/79307316755.pdf
    • https://glosunspa.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608e11cb05372---12850359121.pdf
    • http://lubrifianti-auto.ro/files/file/muragapuv.pdf
    • https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a7671f7bde8---tupazorekivuderilizafafad.pdf
    • https://www.zulilighting.com/wp-content/plugins/super-forms/uploads/php/files/19fb3bf9df7647828c25a2ff970ab7f0/xobiguletufuxegud.pdf
    • http://xn--80aafkqcanfpgnhbng3b5i9a.xn--p1ai/pict/file/77378690394.pdf
    • http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/30948aa2fb06c57e1482882bc5af8ddb/49117127981.pdf
    • http://dajuicebarus.com/uploads/files/32719876467.pdf
    • https://www.nordatec.com/wp-content/plugins/super-forms/uploads/php/files/udqadvcfrsqbola8mp4urgua7s/5871526973.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cbae.bin
975354a12277bb124d7b9161a21628e11b3a1801acfc0a4a8af121602724664b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBAE 5376 bytes
font_01_sfnt_off0000dde6.bin
8e6bc0a1ee0cf6c4bf9fbd56064bb47d9cbe4c362724d85b49f45673fcf7e512		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDDE6 11284 bytes
font_02_sfnt_off000104bd.bin
f375f760f39963ce4bd6e9eb2d56ec9aee132766bcb2b6ca8a90c51d53fc5f7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104BD 16184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.