Malicious PDF — malware analysis report

Static analysis result for SHA-256 00f77fd63ef735e3…

MALICIOUS

PDF

98.6 KB Created: 2021-09-03 07:08:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 594d1592f9fbc0689a68c672a41b6b35 SHA-1: 513300e48175fa22511fb0938be06675f5c590b3 SHA-256: 00f77fd63ef735e3a3a7e528e418f440e207ba4e4ee9768cb90bb7060a0060d2
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links to external websites, many of which appear to be compromised WordPress installations used for hosting malicious files. The high-severity heuristic 'PDF_RANDOM_URL_LINK' and the ClamAV detection 'Pdf.Phishing.Trojan-d2568dad23a94d95-10044375-0' strongly indicate a phishing or malware distribution attempt. The malformed stream length also suggests an attempt to hide malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://chcial.ru/uplcv?utm_term=critical+path+method+journal+pdf PDF link annotation
    • http://www.yourhealthyourchoice.org/wp-content/plugins/formcraft/file-upload/server/content/files/160ed30d1a6418---78196601071.pdfIn PDF document text
    • http://21cedu.com/pds/userfiles/files/zosamifaretuvezava.pdfIn PDF document text
    • https://tecnomatec.cl/upload/file/bonalitumexomuvoki.pdfIn PDF document text
    • http://www.moyekolodin.com/files/55580885954.pdfIn PDF document text
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/cvpnf7p4cj7km3c6v95c0srjj2/24077796181.pdfIn PDF document text
    • http://lamarchesainterita.be/lamarchesainterita/imgdb/news/files/86172987591.pdfIn PDF document text
    • http://reklamavysocina.cz/UserFiles/File/97203846699.pdfIn PDF document text
    • http://faw-asia.com/image/upload/files/67385469349.pdfIn PDF document text
    • http://enjoybowlramenandpoke.com/uploads/files/tebikufekobix.pdfIn PDF document text
    • https://www.andimoda.com/wp-content/plugins/super-forms/uploads/php/files/af67c290bfa1540ed3527b2e1846a062/98665846711.pdfIn PDF document text
    • https://aldea.work/wp-content/plugins/super-forms/uploads/php/files/05ee0ba5d18d6fc4069d95c9e74037ce/danuwoxixirozogirokema.pdfIn PDF document text
    • http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607476668664f---bisigiwenabitokoni.pdfIn PDF document text
    • https://cristalparkhotel.com/ckfinder/userfiles/files/52621655568.pdfIn PDF document text
    • https://alcc.vn/wp-content/plugins/super-forms/uploads/php/files/pu1riq5jsr5c7q1529k86ejjd2/fabufepotujo.pdfIn PDF document text
    • http://grupogmec.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fe63ccdf31---giriwajezimapem.pdfIn PDF document text
    • http://global-insurance-broker.de/downloads/rozivijip.pdfIn PDF document text
    • http://logistra.fr/ressource/site-image/files/84881661151.pdfIn PDF document text
    • https://www.scilights.com/wp-content/plugins/super-forms/uploads/php/files/5fe581dc7b4615d08cd97a5838ba4fdd/12651911236.pdfIn PDF document text
    • http://themultifold.com/wp-content/plugins/super-forms/uploads/php/files/6hkiuqq6oeegc2fqi5meopk4k0/20741943562.pdfIn PDF document text
    • http://cafemsoffice.com/userfiles/files/64353262181.pdfIn PDF document text
    • https://sancarspune.com/wp-content/plugins/super-forms/uploads/php/files/ed7157d913b3d76ed1a82408009db54c/24923086257.pdfIn PDF document text
    • http://www.acefence.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf17a0175bc---mawejasuzuwexiximogoxoku.pdfIn PDF document text
    • https://stayatrosetta.com/wp-content/plugins/super-forms/uploads/php/files/akh1us5kfcp6icdd2ankfpg4lh/ropapiwagudak.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011b3d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11B3D 10976 bytes
SHA-256: 6e85af80d46f5635d5cd6346b3d1e4899b19f0b538a582cdab0f9942b961339d
font_01_sfnt_off00013474.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13474 18412 bytes
SHA-256: ab31d5245681193094494e95040281aa70d8f4f199805f79d0ad8b304e8a10bb
font_02_sfnt_off00016428.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16428 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.