Malicious PDF — malware analysis report

Static analysis result for SHA-256 0123f4b7248d02f9…

MALICIOUS

PDF

81.8 KB Created: 2021-06-12 16:13:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-11
MD5: ef05eec10c02b32285b6c1917c4fc6d0 SHA-1: b35e3882932de041153787e6ce11df5dbde7880f SHA-256: 0123f4b7248d02f9cc03dcce81c0264cbeaedc75f8d52dc80c5a34c3bf1be4b1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links to compromised WordPress upload directories and other disposable hosting, suggesting it functions as a link farm or downloader. The embedded content, though heavily obfuscated, appears to be related to movie downloads, a common lure for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crewmak.ru/uplcv?utm_term=ra+one+full+movie+mp4+download PDF link annotation
    • https://www.dartmusicfestival.co.uk/wp-content/plugins/super-forms/uploads/php/files/778e3c77a97da9735efe4e19a8146365/jupitebizofuvexolifiziven.pdfIn PDF document text
    • http://busangh.com/attfile/fckimg/file/%5C/202106037013_1070511468.pdfIn PDF document text
    • https://sailstudy.in/ckfinder/userfiles/files/xuwolebavasokilax.pdfIn PDF document text
    • http://for-rent-aalst.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608cd2bfbbdd1---wawenapepuge.pdfIn PDF document text
    • https://hsegroup.ru/wp-content/plugins/super-forms/uploads/php/files/3gakpuboo0icb7qk6bf7em5et5/kudoxoxusa.pdfIn PDF document text
    • http://hgbs.de/userfiles/file/kalinevibuwijozesitepe.pdfIn PDF document text
    • http://bezpieczna-strefa.pl/wp-content/plugins/super-forms/uploads/php/files/1f18040f06bcb89ef4aebebe82f1767a/75290502600.pdfIn PDF document text
    • http://pileshoppen.dk/userfiles/file/fupiwori.pdfIn PDF document text
    • http://minerva-collection.net/files/files/begixuvojerefugitetifozox.pdfIn PDF document text
    • https://endoaccessories.com/wp-content/plugins/super-forms/uploads/php/files/7mlmnqhhmmtfi2cldhl0hk79ui/91868243631.pdfIn PDF document text
    • http://mesterek.net/tmp/vofapejenebodiwobexaxi.pdfIn PDF document text
    • http://brenna-ski.pl/userfiles/file/75958677275.pdfIn PDF document text
    • http://hanhthien.net/uploads/file/87530786601.pdfIn PDF document text
    • http://bioident.pl/photos_fck/file/jugijakebele.pdfIn PDF document text
    • https://2greenchicks.com/wp-content/plugins/super-forms/uploads/php/files/632a8664064a59b939a5b2ba0c7b526c/73324131142.pdfIn PDF document text
    • http://abacusnancy.com/userfiles/file/mabewip.pdfIn PDF document text
    • http://interface-referencement.com/userfiles/file/88908528227.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000101cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x101CD 5160 bytes
SHA-256: 3961f955c970422cc093c5b337a3414e620544bb685d37d5e24082acc412fcb6
font_01_sfnt_off00011376.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11376 11496 bytes
SHA-256: c86e955d99fce3eff32b7b2a9b8f8289fe00d8b777f7107bbe1f9b02af360f2d