Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1b2b05f86e8d568…

MALICIOUS

PDF

108.8 KB Created: 2021-06-20 13:53:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b2cac620f5dee79b4e232cdfcdcec1d9 SHA-1: 9b5d2c72f56c50375f9e926e95bc81d5c4636a63 SHA-256: d1b2b05f86e8d568b33e585f8825809a33594f4205a6df0ca56d8e6c094883e8
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to compromised websites, suggesting a link farm designed to redirect users to malicious content. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely instructs the user to download a password-protected archive, a common tactic to bypass security filters. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://catamma.ru/uplcv?utm_term=sword+art+online+kazuto+kirigaya
    • https://lawrenceyezersky.com/userfiles/file/87814850737.pdf
    • https://www.superioreagle.com/wp-content/plugins/formcraft/file-upload/server/content/files/160825fd0a156e---26107989546.pdf
    • http://5m-tti.com/uploads/image/files/wopivuzoruwaxixi.pdf
    • https://web-sila.ru/wp-content/plugins/super-forms/uploads/php/files/c078e778638707ef5a2a68966de9f79b/98509034243.pdf
    • http://boulderdivorcelaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/16074468450a7a---88173885042.pdf
    • https://cbolean.com/wp-content/plugins/super-forms/uploads/php/files/r8cpbtkqr5uar1lmh56ipp9ju7/pasuluwamo.pdf
    • https://www.capitalroofingct.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607184143f258---xebiwixuji.pdf
    • http://aliancegroup.su/wp-content/plugins/formcraft/file-upload/server/content/files/16099cb9beee04---pawomawadibaxazogonu.pdf
    • http://thedreaminitiative.org/Content/Admin/uploads/files/zodunibi.pdf
    • https://postscriptproductions.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a0c81bfc25---51269297269.pdf
    • http://www.barankayalar.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160af6f0831f38---zifaronogowujiduwomap.pdf
    • http://amwordpress.org/wp-content/plugins/formcraft/file-upload/server/content/files/160959c4d14389---bulenolut.pdf
    • http://rld-carbon.ru/file/vipoxoxe.pdf
    • http://nuitsdartistes.eu/images/file/10455396291.pdf
    • https://atl-50.com/files/file/saniwobe.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014b75.bin
d40e0b5fc6e602095deb01b2437b0c17fee88315d75b9fd3f73fd0321d6d4e6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14B75 9328 bytes
font_01_sfnt_off00016afe.bin
24b806e0258d1679290d30803d58b1bd5f69ae2cdcb839b33607206da7cb9f1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16AFE 5224 bytes
font_02_sfnt_off00017cf3.bin
1ed19a2ea5f01732bb07e6538d0792d3234bebc07b31e7a6f2991a1019446114		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17CF3 13536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.