Malicious PDF — malware analysis report

Static analysis result for SHA-256 ffcac9893aa266ec…

MALICIOUS

PDF

121.8 KB Created: 2021-06-29 17:44:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 9a2b2b2f79d6275d6efb06badf99e9d8 SHA-1: f299982e627e31f233b28c8bc60104fe70e31719 SHA-256: ffcac9893aa266ec1745c6ba5cfaf1987a4a7fd1606b95e800cda4327921dccd
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged by ClamAV as Pdf.Phishing.Trojan and an ML classifier indicated a high probability of maliciousness. The document contains a link farm pointing to compromised WordPress upload storage, suggesting it's part of a phishing campaign. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to download a password-protected archive, a common tactic to bypass gateway scanning.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9690

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.makattakasinti.com/wp-content/plugins/formcraft/file-upload/server/content/files/160795c8690fe5---vutijufawimazuxesuvipexu.pdf
    • http://www.alwaysflorida.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071e5130349a---witaxuvedonul.pdf
    • http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/ked3vpt5rur2hpun80abihseg5/78696320985.pdf
    • https://www.lightingsolutionsinc.net/wp-content/plugins/super-forms/uploads/php/files/252b9df4601df1863c854c2fe80a4c68/mozarelevipupunavedaf.pdf
    • https://sipare.com.ar/wp-content/plugins/super-forms/uploads/php/files/d5i8l55k53hindsluq866mgohf/rurixenutevezav.pdf
    • http://sanitaerprofi.ch/fckeditor/editor/images/file/xoriwozogaliwaxifozesamav.pdf
    • http://614move.com/clients/4890/File/bavexov.pdf
    • http://fullcolorspandoeken.nl/userfiles/file/80613436.pdf
    • https://dildendilecevirievi.com/upload/ckfinder/files/75007352890.pdf
    • http://lycee-elm.org/userfiles/file/nipusiroxojozanuxezonamiz.pdf
    • https://laihouston.com/wp-content/plugins/super-forms/uploads/php/files/6453cb8790258f6ef2c2b5d8c6ac712f/8829953318.pdf
    • https://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d223a91e1d2---luzaxejigawupos.pdf
    • https://cdmsig.com/ckfinder/userfiles/files/73969797166.pdf
    • http://bjhtdszdh.com/v15/Upload/file/20216132149327142.pdf
    • http://at2apigroup3.com/contents//files/dolonivazimaw.pdf
    • http://azizolace.cz/images/file/diduvepunivepenedofib.pdf
    • https://www.isnb.co.uk/wp-content/plugins/super-forms/uploads/php/files/c6da22169048680cc45124a4e2e89548/pavetixasidibizazapidep.pdf
    • https://www.verpoort-bouw.be/wp-content/plugins/formcraft/file-upload/server/content/files/1607f2fcb1c847---25129353653.pdf
    • https://wurstfargo.com/wp-content/plugins/super-forms/uploads/php/files/9e36ad905299fed6c490ba27c21f1e2e/tanalodiwanoxudomini.pdf
    • http://alphanaturehk.com/userfiles/file/mewamenanusod.pdf
    • https://c4ir.ae/wp-content/plugins/super-forms/uploads/php/files/8rg5f7pauf6ov2dfej7d49uoi6/fezetozufoxesosetopunexug.pdf
    • http://alemotta.com/resources/original/file/lalozowofedabaf.pdf
    • http://thanhlamresort.vn/wp-content/plugins/formcraft/file-upload/server/content/files/16080d653d9073---kipejeritozivadala.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/BkSY9tpko7c/uplcv?utm_term=what+does+contrast+mean
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000113e3.bin
332909ae80c99f4adccf78a8711406928b783d94847c4be435696f9b9bcf56c1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x113E3 26644 bytes
font_01_sfnt_off000145fc.bin
ba1ff025daf02258daffe7299c3e5064446b30486dbf67adfa5ca114a82b5f32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x145FC 7948 bytes
font_02_sfnt_off0001609c.bin
1d0bb147d8dfe9675ef89cdf11113e885a5ab70c0e5608546d4101dfcdc1db6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1609C 10492 bytes
font_03_sfnt_off0001784a.bin
71355896b01aa6bfd6f6cce5cc422a04afee8a6af4117a6639e5bb53e0a20584		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1784A 30488 bytes
font_04_sfnt_off0001bf3c.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BF3C 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.