Malicious PDF — malware analysis report

Static analysis result for SHA-256 00a4738466c74b63…

MALICIOUS

PDF

74.3 KB Created: 2021-09-17 02:07:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 5cf5a3c46e1dae242f25f8ad9f2b3134 SHA-1: 2278c9b62440337bd4adf995e25e9fa04a97690d SHA-256: 00a4738466c74b631ddef3b966017f91f3c9053af1e71dca53ed761415e0f657
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV and an ML classifier, with heuristics indicating embedded JavaScript and a link farm pointing to compromised WordPress sites and disposable hosting. The embedded JavaScript likely facilitates the redirection to these external URLs, which are presented as PDF files, suggesting a phishing or malware distribution attempt. The presence of numerous external links and the use of compromised domains indicate a coordinated effort to host malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=android+studio+questions PDF link annotation
    • http://ranjitabiswas.com/userfiles/files/71214713844.pdfIn PDF document text
    • http://iraneto.com/basefile/iranetocom/files/jufinukozeliki.pdfIn PDF document text
    • https://easy2ticket.com/upload/files/63779571989.pdfIn PDF document text
    • https://b7b.reviewz.eu/app/webroot/files/userfiles/files/77466265416.pdfIn PDF document text
    • http://xn--oy2b9bv81anouola.com/upload/file/202109140303228603.pdfIn PDF document text
    • http://hotel-ambassador-nice.com/upload/files/22373180313.pdfIn PDF document text
    • http://shuimotongyuan.com/userfiles/file/56862515271.pdfIn PDF document text
    • http://dentalclinicbangalore.com/uploads/womunagajagikesofirazal.pdfIn PDF document text
    • https://deltarents.com/upload/ckfinder/files/saxen.pdfIn PDF document text
    • http://aviapartner.biz/js/ckfinder/userfiles/files/wetopogoxomemijek.pdfIn PDF document text
    • http://studiobonvino.com/userfiles/files/62835058373.pdfIn PDF document text
    • http://jiji.pgo.tw/pic/uploads/files/74376223311.pdfIn PDF document text
    • http://parcroyale.hk/userfiles/dovubotobegobu.pdfIn PDF document text
    • https://miamivanservice.net/wp-content/plugins/formcraft/file-upload/server/content/files/16132b146d7f16---zokomozatejonivikevakizo.pdfIn PDF document text
    • http://shinserviceodi.ru/wp-content/plugins/super-forms/uploads/php/files/5d60b018b9f4bea05a140cd14ce6e182/15628445390.pdfIn PDF document text
    • https://www.cfo-search.com/wp-content/plugins/formcraft/file-upload/server/content/files/161334869d212f---totizu.pdfIn PDF document text
    • https://shrmivirtual.org/wp-content/plugins/super-forms/uploads/php/files/079238033e113ee028c8190a77149225/67892395075.pdfIn PDF document text
    • https://nhomphuongnam.com/upload/files/dolikunoponipi.pdfIn PDF document text
    • https://www.jemelectric.com/wp-content/plugins/formcraft/file-upload/server/content/files/16142984a77a68---girigumugigapuvavanelo.pdfIn PDF document text
    • http://www.startservis.sk/novy/ckfinder/userfiles/files/kenotapokexuf.pdfIn PDF document text
    • https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/16142dca4a06e6---futibosevegaso.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c1ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC1BA 16808 bytes
SHA-256: 913204729808d7f9316d166f9fc8d0518a5f9de125d747ec1c01a4f1a43e7f0b
font_01_sfnt_off0000ed0c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xED0C 10260 bytes
SHA-256: 1cad9ee7fd1ba416d7dabf3422380bdc064c69905bbfc44acd5eef2f98f838e9
font_02_sfnt_off00010411.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10411 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1