Malicious PDF — malware analysis report

Static analysis result for SHA-256 cebca8ffece7d729…

MALICIOUS

PDF

433.1 KB Created: 2021-06-23 10:46:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-12
MD5: a7274a8be6015ab19e4adb5c3c6a352c SHA-1: 42bb1099873c6bd9cec38041bd7532cea1836d73 SHA-256: cebca8ffece7d72999e1fc4a729094ddce9fb8a345d424f42dcb78d486a7dd6b
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is identified as malicious by ML classifiers and ClamAV, indicating it's a phishing or trojan delivery mechanism. It contains numerous URLs pointing to compromised WordPress sites, suggesting it's part of a campaign to distribute further malicious content. The document body, though partially corrupted, suggests a lure related to a 'Cobra laser manual'.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9333

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=cobra+15+band+ultra+360+laser+manual PDF link annotation
    • http://objetivovender.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5a7d6ad026---giwutobu.pdfIn PDF document text
    • http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c2ffac68313---petigonoxuzuzebesepip.pdfIn PDF document text
    • https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/16095998cee973---gulafotiduminifosebidi.pdfIn PDF document text
    • http://gayaarchi.com/userfiles/file/20210528102740.pdfIn PDF document text
    • https://414movement.com/wp-content/plugins/super-forms/uploads/php/files/556ede012140b2e6219f745ed6d65446/getotoporilevizemolexufaw.pdfIn PDF document text
    • http://cuhs1981.com/clients/8/82/82ca37c076ec4232796cb58ed009bb3a/File/gopufofilozogovu.pdfIn PDF document text
    • https://bykevin.com/wp-content/plugins/super-forms/uploads/php/files/1dce6b71fad5ad07af6150ca5c94b931/moreketipiluxosituripijaw.pdfIn PDF document text
    • https://www.gsccn.it/wp-content/plugins/formcraft/file-upload/server/content/files/1607c27e40a01f---zetadidawedaf.pdfIn PDF document text
    • https://jjmassociates.com/wp-content/plugins/super-forms/uploads/php/files/8e75197be19043eaf8c8e1cd9f74442d/modoferomodajazibi.pdfIn PDF document text
    • http://www.psstrecno.sk/wp-content/plugins/formcraft/file-upload/server/content/files/160c06ee3dbcea---mekokovapawes.pdfIn PDF document text
    • http://brooklinehs1964.com/clients/6/6a/6a3559cec3eb17f551da2d864c8c85ab/File/32331359886.pdfIn PDF document text
    • http://amatnieks.com/pictures/image/42189250332.pdfIn PDF document text
    • http://www.sandzthabapanel.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160ab848d4bd00---55265093254.pdfIn PDF document text
    • http://adabaskimerkezi.com/upload/file/vixedemumobotebenabav.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00065df1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x65DF1 5652 bytes
SHA-256: 88b2e38043fbd00ef8c0ff92bd790cada8e475d4a1bab98387335eb5a6ecb408
font_01_sfnt_off0006710c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6710C 12916 bytes
SHA-256: b67eb7dca5b48f36b15e9b7b2534a8e970843e4956cd2dcc003f827702222392
font_02_sfnt_off00069cac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x69CAC 16296 bytes
SHA-256: 20cae6de8069e630267dc8b060c30e10a50712bad6f006ccbe3193e4f6e2f55c