Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea1617943bc67a18…

MALICIOUS

PDF

83.3 KB Created: 2021-09-07 14:08:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: c1910dc5355ed7b44ee2601cc25a583c SHA-1: c09b28fd2f20b9df9f6fb3f7279d55b87e143709 SHA-256: ea1617943bc67a189670d92dc41d0966c183ad67b832a7370520f5067237c960
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a link farm hosted on disposable domains, which is a common technique for distributing malware. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document likely instructs the user to open a password-protected archive, a tactic used to evade gateway scanning. The ML classifier and ClamAV detection strongly suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://classiccar-jp.com/js/upload/files/dudobejogalutevexisiz.pdf In PDF document text
    • http://www.skupp.pl/wp-content/plugins/formcraft/file-upload/server/content/files/1607e15cba2fb9---kexizitorolap.pdfIn PDF document text
    • http://primethailand.com/ckfinder/userfiles/files/dopetubigixijudokefurisiw.pdfIn PDF document text
    • http://www.birapart.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071fc0c70b4b---54730247742.pdfIn PDF document text
    • http://vizesblokk.hu/files/file/4402832733.pdfIn PDF document text
    • https://nadamasristorante.it/file/3964696685.pdfIn PDF document text
    • http://networkinglikepro.com/ckfinder/userfiles/files/72225544911.pdfIn PDF document text
    • https://www.alapan.org/fckimages/file/81712088158.pdfIn PDF document text
    • https://novsport.com/content/File/41700441414.pdfIn PDF document text
    • https://lokmangal.co.in/wp-content/plugins/super-forms/uploads/php/files/7fc4216e311bf9eadb2566a8ce2914b9/zifonase.pdfIn PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/16113c97c28a90---rakitovifunujakapu.pdfIn PDF document text
    • http://buren-kompanie.de/userfiles/files/53929433472.pdfIn PDF document text
    • http://e-hematologica.pl/users//file/4342606052.pdfIn PDF document text
    • https://www.sir.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16073f5dcb548b---19632402771.pdfIn PDF document text
    • https://lecachet.fr/docs/files/gibugisu.pdfIn PDF document text
    • https://www.frankcapassoandsons.com/wp-content/plugins/formcraft/file-upload/server/content/files/160becad8caafd---17495476966.pdfIn PDF document text
    • http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1606f3a0a03706---kemerasemol.pdfIn PDF document text
    • https://hirurgija.me//files/60788073470.pdfIn PDF document text
    • http://aleeblog.com/wp-content/plugins/super-forms/uploads/php/files/76m7g0mea8tuj5491qeg2ejrd6/92795917518.pdfIn PDF document text
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/1608ebf927772f---85642852842.pdfIn PDF document text
    • http://carnow.jp/js/upload/files/56038179048.pdfIn PDF document text
    • http://jagodkaprzedszkole.pl/userfiles/file/5241267307.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/Om9ozkHLxGw/uplcv?utm_term=unlock+pdf+adobe+acrobat+proPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e15b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE15B 18092 bytes
SHA-256: 0e80e862c99d3178b41bbb4d972410e1b43861d7149bb225123c02f4e4276a08
font_01_sfnt_off00010f56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F56 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001276d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1276D 10592 bytes
SHA-256: 787e64cad002403a1ee4f773e75fbdc053b1951432e175b6c450d4fbec4424a9