Malicious PDF — malware analysis report

Static analysis result for SHA-256 eaaee387f861ea8d…

MALICIOUS

PDF

354.4 KB Created: 2021-07-06 16:54:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 977a163ff2e73dcd75d2e6e831b3ec3c SHA-1: 53a728ffaf163506fb454c8e636ce034f99485c3 SHA-256: eaaee387f861ea8d55e673976dadef4f96fc0518c76ac2bd6ff989736f90e6b6
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier and ClamAV heuristic strongly indicate this PDF is malicious, specifically flagged as phishing/trojan. The presence of numerous links pointing to compromised CMS upload directories and external PDF files suggests a phishing or malware distribution campaign. Although no scripts were explicitly extracted, the PDF structure and embedded links are indicative of malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9871

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://menlopark.com/wysiwygfiles/file/lujobunumifuju.pdf
    • https://impariant-club.ru/wp-content/plugins/super-forms/uploads/php/files/5ea569a6909e899cf4776448cc443fb9/donivuxesajavutijub.pdf
    • https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/2ojkfusm9pma372dhhu6n44uta/xovupo.pdf
    • http://kystop.com/wp-content/plugins/super-forms/uploads/php/files/t6vhcdj7p14688mk4tgsafscp2/sawetat.pdf
    • http://global-poseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a45db89c881---70502319669.pdf
    • http://shavers-boles.com/clients/7/73/73b1ad2e2c85410b7b015c0c79a6caf4/File/31180501917.pdf
    • http://rspon.pl/images/wyswig_images/file/laxivawupefekubenase.pdf
    • https://mimpishio2bet.com/contents//files/musatusani.pdf
    • https://www.tifdip.com/wp-content/plugins/formcraft/file-upload/server/content/files/160705f785ece8---repewefaduwujemu.pdf
    • http://bezpiecznamlodosc.org/files/file/642157003.pdf
    • https://leo-translate.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1607ba1d31e17e---kizevuresufuze.pdf
    • http://atol-res.pl/uploads/file/rupebunazunobenosawow.pdf
    • https://giverny-bkk.com/upload/files/xepasesutuzu.pdf
    • https://morganmethod.com/ci/userfiles/files/10952900498.pdf
    • http://austria-ex.com/images/blog//file/mafovelijifafafilufil.pdf
    • https://www.endthestigmacounselling.com/wp-content/plugins/super-forms/uploads/php/files/t05vqqpjrlkeh60eh6l5i2vded/nenopukegaverubejugiru.pdf
    • https://advancedbusiness.co/wp-content/plugins/super-forms/uploads/php/files/ae56ac0b42e71abb6f7a892cbf7d4104/firegobawabosose.pdf
    • https://www.saenger-ohg.de/wp-content/plugins/formcraft/file-upload/server/content/files/16075e0e10f229---94353773300.pdf
    • https://webmodels.studio/wp-content/plugins/formcraft/file-upload/server/content/files/1609fc8afee690---65658585660.pdf
    • http://www.adanakursmerkezi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079b302706b8---78397917889.pdf
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c31273ef9b0---gukubelo.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=types+of+stains+in+microbiology+pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0005108e.bin
5c660cd6db396a69abe996bdabce979d08cb537adcbc7e7431799a96662208e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5108E 22820 bytes
font_01_sfnt_off000548e9.bin
4268ecca7aed9036eb81b32de3a959334383cec7d29854e3e359b66bd5b3b302		 pdf-font-stream PDF embedded font (sfnt) at offset 0x548E9 11180 bytes
font_02_sfnt_off000562aa.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x562AA 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.