Malicious PDF — malware analysis report

Static analysis result for SHA-256 edb848f5abbb374f…

MALICIOUS

PDF

86.0 KB Created: 2021-09-02 11:18:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: 90341eba070a74c9c028e739eddffafe SHA-1: 9ccdb03fb5e1f4fbcfeb6693ed822e926634c959 SHA-256: edb848f5abbb374fed320cbd0702093fab24410e3091daea54bdcb0b9d7e49ac
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link farm pointing to multiple domains, some of which appear to be compromised or disposable hosting. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to obtain a password for a separate archive, a common tactic to evade gateway scanning. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9848

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://toddfamilyreunion.com/clients/4/48/482e924d5a052aa4a0c13eb8a30e0bc8/File/61172203072.pdf In PDF document text
    • http://kagoshimakojintaxi.com/userfiles/file/81477468302.pdfIn PDF document text
    • https://adsbudget.net/userfiles/file/4791071470.pdfIn PDF document text
    • https://muguet.fr/sites/default/files/file/51000349305.pdfIn PDF document text
    • http://net-marketing.hu/images/files/91351709710.pdfIn PDF document text
    • http://go-trec.com/wp-content/plugins/super-forms/uploads/php/files/vdg68epc2n9bmu0v0vp3qasgnm/medulodewodobivitepaw.pdfIn PDF document text
    • http://alkanboya.com/files/file///59299727200.pdfIn PDF document text
    • https://grup-insaat.com/userfiles/file/47283048295.pdfIn PDF document text
    • https://beaufortbond.com/wp-content/plugins/super-forms/uploads/php/files/8db9c1d5eee36ac03fe8d1a711e0ee13/deteluwikip.pdfIn PDF document text
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160da1ed131074---82281644370.pdfIn PDF document text
    • http://ogbchurch.com/clients/880797/File/potigunipu.pdfIn PDF document text
    • https://thriveelearning.com/wp-content/plugins/super-forms/uploads/php/files/a6535e7ee3fbd43e953c40da97db01ee/muzesepewekiborilefu.pdfIn PDF document text
    • http://tanphatinst.com/vietkiendo/upload/file/fogurasivexuwijakofozi.pdfIn PDF document text
    • http://www.neslihanonur.com/wp-content/plugins/super-forms/uploads/php/files/1516c6475a6b9d7ccfc2da2dbf836406/11295529157.pdfIn PDF document text
    • http://www.sensible-seeds-premium.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b20d2f35143---21538961258.pdfIn PDF document text
    • http://cabinet-blin.fr/ressource/site-image/files/47660225861.pdfIn PDF document text
    • http://metzpaintings.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609eb89ac950b---81787202543.pdfIn PDF document text
    • https://daotaolaixesontay.com/uploads/file/87687977280.pdfIn PDF document text
    • http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609444da8fe6e---88253014044.pdfIn PDF document text
    • http://anhuizhkj.com/upload_fck/file/2021-8-15/20210815161819346119.pdfIn PDF document text
    • http://www.tenniscanberra.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160a58bb53716b---48061238.pdfIn PDF document text
    • https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/160aff8e7980b3---bebikekad.pdfIn PDF document text
    • http://smartpaintingplus.com/userfiles/files/jugataxarowujal.pdfIn PDF document text
    • http://intechsol.kz/wp-content/plugins/formcraft/file-upload/server/content/files/160768158cef91---41923882488.pdfIn PDF document text
    • https://www.tctnanotech.com/wp-content/plugins/super-forms/uploads/php/files/340d330558a68763c9474bedfff258b3/49451637230.pdfIn PDF document text
    • http://autofulltravel.com/userfiles/files/wojenij.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=ccna+chapter+6+network+layer+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e97a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE97A 18152 bytes
SHA-256: 674904a14ed974e9bc126cd2846495420ed99dc0ec4b092e651b1a790556b10f
font_01_sfnt_off000118ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x118AB 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000130c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x130C2 10948 bytes
SHA-256: 1d1a09395c28e8e863a5c4d2d9428fb2f39cb2cc87111d3f4e6efab77361f296

Open this report in the interactive analyzer, or submit your own file for analysis.