Malicious PDF — malware analysis report

Static analysis result for SHA-256 c853672527daf0f3…

MALICIOUS

PDF

84.7 KB Created: 2021-06-25 15:41:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 50d51e646c541df538c432b1ff43fa89 SHA-1: f08026d40ff32df3f9ed597558b4700ec283b4cc SHA-256: c853672527daf0f31da38f6dea5ee541971ef4c6dd9f8f6ffd18e2a7faab6189
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged by ClamAV as Pdf.Phishing.Trojan and by an ML classifier as malicious. The document contains a link farm pointing to various PDF files hosted on compromised WordPress sites, and the 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates it likely instructs the user to open a password-protected archive. This suggests a phishing or credential harvesting attempt, possibly to deliver a second-stage payload disguised as an archive.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chocoinmobiliario.com/wp-content/plugins/super-forms/uploads/php/files/0a1ea2d7b19fd16d4bed05bc739f99d8/vakilizowepiwobelen.pdf
    • https://primewestelectrical.com/wp-content/plugins/super-forms/uploads/php/files/44ce93ae1f12b9bb68e9109772ad6e4e/leganumenegemif.pdf
    • http://sshs61.com/clients/6/60/60e739d5a8cf4a6710e4f064fd99417d/File/zidewagasonubaruridudotuz.pdf
    • https://apexforestservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094d850c4a31---65172283283.pdf
    • https://agsposure.org/wp-content/plugins/super-forms/uploads/php/files/2ababe18775c0f72183e033f914aadcd/loriwubejedobupev.pdf
    • http://www.kocay.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/16079ad5c0a081---36015276391.pdf
    • http://metzpaintings.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c14a5bf3fa---7590250705.pdf
    • https://www.ikedatosou.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ee297a31da---5008620419.pdf
    • http://s8radziejowice-paszkow.pl/userfiles/file/wezekowitavawowar.pdf
    • https://luminex.pl/upload/file/dosubipuzuzaxudegavoli.pdf
    • http://brandnewgoods.net/userfiles/file/33272139425.pdf
    • http://myhomeinparis.com/userfiles/files/rusirabub.pdf
    • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079ff0fa81d1---42890611783.pdf
    • https://decoveinvestment.com/userfiles/file/29766701541.pdf
    • https://beatmuellerfoto.ch/userfiles/files/21556103940.pdf
    • http://phuvuongcorp.com/luutru/files/51473112105.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=pdf+to+zip+file+with+password
    • http://pro.ovh.net/~tribuene/images/banque/file/57001126321.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e8df.bin
08c6d67afa6e1e830449c15fccdf6b42ceb77f660369c5280a308d5d35b339f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE8DF 10636 bytes
font_01_sfnt_off0001016f.bin
82980771399edebb427e09f83d18d3231324a2921c76bbdcb949822ced4b2719		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1016F 16900 bytes
font_02_sfnt_off00012dd2.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DD2 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.