Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1024b03d0585f65…

MALICIOUS

PDF

84.5 KB Created: 2021-07-04 07:58:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: c7971f0aaae66d46e7ef648a9a917234 SHA-1: 7283acd0cfb8707ada1d6a4404f0595fe3352d9e SHA-256: f1024b03d0585f658f76fe51b3be866fc30f6ae7e19d6872f6d03a40a0e7a046
236 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document exhibits characteristics of a phishing lure, specifically a payment redirection scam, as indicated by the 'SE_PAYMENT_REDIRECT_LURE' heuristic. The presence of multiple external URIs pointing to compromised WordPress upload directories and link farms suggests an attempt to distribute malicious content or redirect users to phishing sites. The 'SE_CLICKFIX' heuristic further suggests social engineering tactics to trick users into executing commands, potentially to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=how+to+change+a+pdf+password
    • http://ziepniekkalns.lv/wp-content/plugins/formcraft/file-upload/server/content/files/160989e4692b78---93219170326.pdf
    • http://candybeauty.vn/upload/files/8521519862.pdf
    • https://www.lightingdynamics.com/wp-content/plugins/super-forms/uploads/php/files/3896e3745dbcb63088096ed84175fd3d/46287931499.pdf
    • https://burragebrothers.com/demo/jolie/beta/userfiles/files/ledotixigisaripewogijol.pdf
    • http://supermarketdv.ru/files/file/41357280871.pdf
    • http://wccflooring.com/userfiles/files/pukuwuduxowupufozizil.pdf
    • https://irantruck.ir/data/file/xusopikojojusakir.pdf
    • http://neurooperations.com/ckfinder/userfiles/files/tetokuvexuxitasewapireg.pdf
    • http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/160a502132ae26---ziser.pdf
    • https://www.rydalmereprestige.com.au/wp-content/plugins/super-forms/uploads/php/files/m7uj5bccl56qcff3il2sbsljn4/55709074645.pdf
    • http://clinicacomciencia.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160ac9e327f67f---54678150191.pdf
    • http://lamelove-zakryti.cz/userfiles/file/59202357039.pdf
    • https://karinbentum.nl/uploads/file/fetakadapame.pdf
    • http://blackhorsesc.pl/userfiles/file/rigovetegalolebox.pdf
    • http://alternativefitness.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1607960c8159fc---55247792563.pdf
    • https://kodeac.com/wp-content/plugins/super-forms/uploads/php/files/ckvf4r4fci8i0fju9fesbb8k5s/49603656331.pdf
    • http://pkynfe.net/userfiles/file/86596685208.pdf
    • http://plnjl.com/userfiles/files/lozowewofojujogafo.pdf
    • https://ikansambel.com/contents//files/muxebu.pdf
    • http://anhuizhkj.com/upload_fck/file/2021-6-29/20210629093550542141.pdf
    • https://108pizza.pl/uploads/userfiles/files/63666419167.pdf
    • http://lysfyyy.com/upload/files/zurosaji.pdf
    • http://www.191seo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c3be63a31a---kixelufu.pdf
    • https://bamfieldrental.com/userfiles/file/rivoruvu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e847.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE847 16792 bytes
font_01_sfnt_off0001005e.bin
3a27dd4ef57d86d3c1a1b93922075e5305b7541792fc8a27ad0700347c186458		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1005E 10836 bytes
font_02_sfnt_off0001192a.bin
d6ac6dfed2433d9e3bdae8ed0dc352af588dda3cf6addd314d67b02267fe24bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1192A 16708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.