Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8183d70923a6883…

MALICIOUS

PDF

484.5 KB Created: 2021-08-22 00:37:46 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 9e8ac50fc6dc293583864ed34105ee02 SHA-1: bb1994c436665bada59af15328da5eeb2aa01b8a SHA-256: e8183d70923a6883a8272ba6b2ed686ab23ce42399acc67bea7aac83ed89d47a
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged by ClamAV as Pdf.Phishing.Trojan and exhibits characteristics of an advance-fee scam. It contains numerous links to external PDFs hosted on compromised websites, suggesting it's part of a phishing campaign. The ML classifier also indicated a high probability of maliciousness. While no scripts were directly extracted, the nature of the links and the scam lure point towards an attempt to deliver a malicious payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7612

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gyarmatilovastorna.hu/userfiles/file/figelelowovumuwuronisiju.pdf
    • https://caravanandre.it/wp-content/plugins/super-forms/uploads/php/files/c826fe20d4ad75ced80fe5b0c7162ef2/25105812801.pdf
    • http://importfoodfair.com/userfiles/image/2021/08/file/gomomawot.pdf
    • http://jorkurojus.com/userfiles/file/22971859606.pdf
    • https://dsodrecital.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a9f6add3ad9---70971368622.pdf
    • http://tamker.hu/userfiles/file/tebofonixej.pdf
    • https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/16119f1ebc46ea---lufajimop.pdf
    • http://realcomfort.ru/content/upload/file/41288882065.pdf
    • https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160b161586dae0---bunijadoz.pdf
    • http://thaoduocvn.com/userfiles/image/file/57753400919.pdf
    • http://xn--80aejmo0alc.xn--p1ai/ckfinder/userfiles/files/buzozasida.pdf
    • https://www.colegiodesafio.net/home/wp-content/plugins/formcraft/file-upload/server/content/files/161157df7bea79---67030329961.pdf
    • http://philippinesroadshow.com/wp-content/plugins/super-forms/uploads/php/files/c4ded4424521beb7c292edc68ea51ea8/41849611411.pdf
    • http://cateringkieuan.com/uploads/userfiles/file/99047746151.pdf
    • http://bugaboo-buffalo.eu/UserFiles/File/56320200053.pdf
    • http://chuaphucluong.com/uploads/image/files/4647703699.pdf
    • http://www.sandzthabapanel.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1606c85e2ef8ef---7943445197.pdf
    • https://aryaayur.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089fcff63ae5---tapuxelovevaxapobutotaz.pdf
    • http://studioassociatoemc.com/userfiles/files/90257689492.pdf
    • http://xn--e1aaafipco3bk8gra3b.xn--p1ai/upload_picture/file/39028727452.pdf
    • https://rubyyadav.com/nbloom/fckuploads/file/81441662750.pdf
    • http://urgentcarepb.net/userfiles/file/bijiwamuvale.pdf
    • http://www.kliningstroy.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160984e19728be---wixudilalefufededotatuzob.pdf
    • http://donaldnathanlaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/ravalatu.pdf
    • https://vicotelecom.vn/static/source/images/file/rusebunedetujepafuxu.pdf
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160be4e61191d5---80551054578.pdf
    • http://klhl.com/userfiles/file/devokomefilo.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=badmaash+company+full+video+song
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00071cc4.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71CC4 16792 bytes
font_01_sfnt_off000734db.bin
490738e3cdc24aee26cbf058feca74e73698444376be8861bddfa7d748531a93		 pdf-font-stream PDF embedded font (sfnt) at offset 0x734DB 11204 bytes
font_02_sfnt_off00074eb7.bin
8abb78c02f83f28431047ca5b4757554809506b795091697b3556a70442137b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74EB7 19384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.