Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd572e3d2f0bcafd…

MALICIOUS

PDF

84.0 KB Created: 2021-07-15 18:17:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 2ecdd11159d7659cbf7ce03eb1f328fc SHA-1: 164479621380263867ed6722df09d7b8bd4dd2bd SHA-256: dd572e3d2f0bcafdff2d988dc0e2027cbbf3d420ef9fe409a5d3c1811e32a4e9
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ML classifiers and ClamAV, exhibiting characteristics of a phishing lure. It contains numerous links to external websites, many of which are hosted on compromised WordPress installations, suggesting a link farm designed to redirect users to malicious content. The heuristic 'SE_PAYMENT_REDIRECT_LURE' strongly indicates the document's intent is to trick users into believing there are changes to payment instructions, a common tactic in business email compromise attacks.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=depreciation+of+plant+and+machinery+is+a+part+of PDF link annotation
    • http://sazjah.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b06b31dfa2e---78072064798.pdfIn PDF document text
    • http://timatey.kz/wp-content/plugins/super-forms/uploads/php/files/h3mlepbgano3vshc2denmvmr82/86032894510.pdfIn PDF document text
    • https://irrisyst.eu/files/file/81467956000.pdfIn PDF document text
    • http://comp-art.ru/userfiles/file/32564746091.pdfIn PDF document text
    • http://aivieksteslaivas.lv/userfiles/file/62836388012.pdfIn PDF document text
    • http://micronforgacsolo.hu/UserFiles/file/xumanobaxemivufife.pdfIn PDF document text
    • https://www.hinogas.com/wp-content/plugins/super-forms/uploads/php/files/18iq8867bo7639qavkfvagrdur/84061825381.pdfIn PDF document text
    • http://harperfamilyreunion.net/clients/3/35/3566a42c83b0accea4ba2bdfee5c7976/File/43381221366.pdfIn PDF document text
    • http://zonazero.es/userfiles/file/lewigedebovifasesagivureb.pdfIn PDF document text
    • https://www.simplythebestevents.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160da83610930b---rukopoban.pdfIn PDF document text
    • http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/nmbihr7aj5hu8b9nrpkjmc31v3/rikanapidogefamuju.pdfIn PDF document text
    • http://constructionone.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1607083172d242---mowoselavezin.pdfIn PDF document text
    • https://marathonroller.com/userfiles/files/kigaropomesakilufenojowed.pdfIn PDF document text
    • https://dedywiredja.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d6546bb650c---zerevimil.pdfIn PDF document text
    • http://cuacongtudongbinhduong.com/upload/files/2105072087.pdfIn PDF document text
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf5a7aa7146---xifufuwinit.pdfIn PDF document text
    • http://galluccifaibano.it/userfiles/file/tomevobefixokesom.pdfIn PDF document text
    • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/l612ukk03271lp78s1bpcfn0o3/93386182744.pdfIn PDF document text
    • http://exactblue.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be6cdfe5a74---talapo.pdfIn PDF document text
    • https://betonwerkendejonge.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16073ee6e8900d---48664646100.pdfIn PDF document text
    • https://www.qbuildsoftware.com/wp-content/plugins/super-forms/uploads/php/files/8d47e1967c000b1c8fa2f93a5636f565/bebosopu.pdfIn PDF document text
    • https://www.mobytec.com.br/mobytec/wp-content/plugins/formcraft/file-upload/server/content/files/160e443919113b---gonufixogoriratire.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2F1 11000 bytes
SHA-256: 304ec855c92772a30ec5a37bdf06b99d687264f0d7c0a8001a7acee030621650
font_01_sfnt_off0000fc54.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC54 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00011466.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11466 17660 bytes
SHA-256: 3e0a047a8c94d4fc9a780f8f0499ddfd51d159bbc0fe58ad6d2dc83819fffecc

Open this report in the interactive analyzer, or submit your own file for analysis.