Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7928e20a09ada32…

MALICIOUS

PDF

82.9 KB Created: 2021-08-20 18:05:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 6d382748027bde905a62610694f955de SHA-1: f73cdc12baa1b83c3b5762737f7307d1f15c3998 SHA-256: e7928e20a09ada324670a8802ea6a163e1938346f9594d51d76987ce25548d49
276 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1539 Steal or Harvest Session Tokens T1041 Exfiltration Over C2 Channel T1555 Credentials from Password Stores

This PDF document exhibits multiple social engineering lures, including instructions to disable security software and a prompt for MFA or one-time codes, indicative of credential harvesting. The presence of numerous links to compromised CMS uploads and disposable hosting suggests a phishing or scam campaign. While no scripts were explicitly extracted, the PDF structure and heuristics point towards malicious intent, likely involving the exploitation of user trust to obtain sensitive information or session tokens.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 9

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://stijsr.com/userfiles/file/romolemexodipufawi.pdf In PDF document text
    • https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8e708b641---55984562818.pdfIn PDF document text
    • http://www.nandomoraes.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16082de9c63538---moponox.pdfIn PDF document text
    • http://www.ecostroyservis.ru/File/71375313263.pdfIn PDF document text
    • http://metzpaintings.com/wp-content/plugins/formcraft/file-upload/server/content/files/16094c3769b6bd---69091301259.pdfIn PDF document text
    • http://ljhalls.com/wp-content/plugins/super-forms/uploads/php/files/ca9f637bfd5d0384e808420f71534aa0/jebavapokotipanotadojow.pdfIn PDF document text
    • http://dodici12.ru/wp-content/plugins/super-forms/uploads/php/files/7jr6bc814t5hkjah9s8t94bl03/7637484283.pdfIn PDF document text
    • https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/160900764480ae---pokanexog.pdfIn PDF document text
    • https://krimgranit.ru/wp-content/plugins/super-forms/uploads/php/files/643b892c9e64c23f4d9e0d4a010a9a1f/xitijoxupato.pdfIn PDF document text
    • https://www.kalirich.com/wp-content/plugins/super-forms/uploads/php/files/tkdb2ftvd75sjtg19kf5ei3853/77824222764.pdfIn PDF document text
    • https://orkhaconstruction.com/wp-content/plugins/super-forms/uploads/php/files/4j7sqkg5gn7flafm4uttstalae/vodep.pdfIn PDF document text
    • http://entone.es/wp-content/plugins/super-forms/uploads/php/files/aea5ded4d897683303e4a9f46d1629ed/64281017465.pdfIn PDF document text
    • http://crediramasrl.it/public/file/79729884148.pdfIn PDF document text
    • https://nepalmicrofinancesummit.org/userfiles/files/tiragu.pdfIn PDF document text
    • http://www.alfainstal.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16097e192e4895---ferelojuzeje.pdfIn PDF document text
    • http://kapsalonvogue.nl/files/file/dutexajoxamiwuxil.pdfIn PDF document text
    • http://www.champcaregivers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160983c3f6bb81---25028894534.pdfIn PDF document text
    • https://www.sharpeningfactory.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607149060d213---96843297625.pdfIn PDF document text
    • http://rollfactorytogo.com/uploads/files/toxebaxanufutipan.pdfIn PDF document text
    • https://sv-fin.ru/wp-content/plugins/super-forms/uploads/php/files/06c21809d970a814519b2dc9f9613ccd/guxuluwade.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=cisco+anyconnect+secure+mobility+client+not+workingPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dcb2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDCB2 11136 bytes
SHA-256: fdeb2c006c7f33e42854656b33027ebe86edc04d83007d69146ff47aa26b7e43
font_01_sfnt_off0000f6d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6D4 17088 bytes
SHA-256: 4e9282f0d63277ec387f13e6d7dbda4b8831e4832d62d52c1318a4eedd021cac
font_02_sfnt_off000123ac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x123AC 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1