Malicious PDF — malware analysis report

Static analysis result for SHA-256 017a55ef4153c486…

MALICIOUS

PDF

80.8 KB Created: 2021-09-10 15:28:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 375ebf31529ba82b7e4249c822f6e0c6 SHA-1: 65eff01bc39d850484736d98e58d81daac01a839 SHA-256: 017a55ef4153c4865d59fb11265d6971fe5bef01389c6f95a2468056c3e65e14
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs, many of which point to compromised websites or disposable hosting, indicating a link farm designed to lure users to malicious content. The ML classifier and ClamAV detection strongly suggest malicious intent, likely phishing or malware distribution via these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://hobbyschuurtje-webwinkel.be/images/userfiles/file/68858953872.pdf In PDF document text
    • http://berallebags.com/UploadFiles/FCKeditor/20210905211233.pdfIn PDF document text
    • https://www.a2zmedical.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16130e0b7dd3a0---xixetuxav.pdfIn PDF document text
    • http://criminisiepartners.it/userfiles/files/67874275923.pdfIn PDF document text
    • http://www.tobywells.org/media/fckdir/file/dexasilivevuwofogone.pdfIn PDF document text
    • https://tcufroghouses.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613b4aabd9394---48442757748.pdfIn PDF document text
    • http://chanakol.com/ckfinder/userfiles/files/21719202943.pdfIn PDF document text
    • http://klick-tipp.info/ckfinder/userfiles/publics/files/87644448206.pdfIn PDF document text
    • http://tbvshungviet.com/upload/files/bebanulavomupolavukox.pdfIn PDF document text
    • http://www.siscard.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613574da83b91---84765735600.pdfIn PDF document text
    • http://nickelsgrafikdesign.de/ckfinder/userfiles/files/vujopagewelefukejurawibi.pdfIn PDF document text
    • https://badrivishal.com/media/nevadas.pdfIn PDF document text
    • http://yossy.biz/userfiles/file/84647309569.pdfIn PDF document text
    • http://resetimpianti.it/reset/public/file/mosexoxubojokigaxasu.pdfIn PDF document text
    • http://pphjako.pl/userfiles/file/pewisewopujujududajesi.pdfIn PDF document text
    • http://goref.ru/files/file/wazovizegalarixasu.pdfIn PDF document text
    • http://ncdesign.it/userfiles/files/46624007907.pdfIn PDF document text
    • https://nepalonlineexam.tisaracademy.com/userfiles/files/jisiponu.pdfIn PDF document text
    • http://www.veslovani-vsb.cz/soubory/file/22768871940.pdfIn PDF document text
    • http://trackeg.com/en/wp-content/plugins/formcraft/file-upload/server/content/files/1613249f3a8fc3---silajizenogifudawuvuji.pdfIn PDF document text
    • http://tumwebthailand.com/ckfinder/userfiles/files/30624212283.pdfIn PDF document text
    • http://luisacortesearchitetto.it/userfiles/files/19992397973.pdfIn PDF document text
    • http://netflor.pl/upload/File/bujogixuzozikupalageli.pdfIn PDF document text
    • https://grandiosieventinuziali.it/filesUploads/file/93868191063.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=to+the+point+english+grammar+book+by+aftab+ahmed+pdf+free+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cea2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCEA2 11340 bytes
SHA-256: 37ba709b294c1ceb100102df67df05a372d21586389c94c1146a60b015b27433
font_01_sfnt_off0000e8c7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE8C7 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000100d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100D9 19828 bytes
SHA-256: da9413a0c0b7b2ed82a9853524911d2606416bc4391c3bedb76b7839ee37b0b3