Malicious PDF — malware analysis report

Static analysis result for SHA-256 018d5f49c2876f29…

MALICIOUS

PDF

81.8 KB Created: 2021-09-18 07:15:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 677b190cde53e58a909af80a1d3d479a SHA-1: 9ffeea9b32f0aa342e6925e66d239d6819c39683 SHA-256: 018d5f49c2876f2915269537b715461841f189cf8b5ff2b63b650878aee502a8
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and a large number of external URIs, many of which point to IP addresses or compromised WordPress uploads, indicating a malicious intent to redirect users to potentially harmful sites. The ML classifier and ClamAV detection strongly support this assessment, suggesting the document is a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bursaceyizgelinlik.com/images_upload/files/1735668310.pdf In PDF document text
    • http://eltdb.com/UserFiles/files/nobufawapubofikizexaxone.pdfIn PDF document text
    • https://sanipro.ma/app/webroot/uploaderfiles/malivuwokoxovibojitik.pdfIn PDF document text
    • http://neoneophytou.com/ckfinder/userfiles/files/nakikisepekijotevuwug.pdfIn PDF document text
    • https://vasantviharproperties.com/userfiles/file/65610930544.pdfIn PDF document text
    • http://texinpack.com/uploadfile/file///2021090804270792.pdfIn PDF document text
    • https://kingwaterpure.com/ckfinder/userfiles/files/gefesukanawased.pdfIn PDF document text
    • http://140.121.125.49/ckfinder/userfiles/files/20210916_211648.pdfPDF link annotation
    • https://digireg.gr/upload/vusade.pdfIn PDF document text
    • http://aksaxena.com/bpms/includes/fckeditor_uploads/userfiles/file/jalonutunuz.pdfIn PDF document text
    • http://knuhpharm.kr/userfiles/file/20210918043302.pdfIn PDF document text
    • https://provisionsinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/161415ac11e3c3---lovijiwoz.pdfIn PDF document text
    • https://e-midas.ro/files/file/vusorarek.pdfIn PDF document text
    • https://burkina-businessschool.com/business_school/uploads/file/dofixoxadogevivof.pdfIn PDF document text
    • https://sanghvicranes.com/staging/media/gotelizejudokowonadifu.pdfIn PDF document text
    • https://octvads.site/js/ckfinder/userfiles/files/pojusosotimibosenuma.pdfIn PDF document text
    • https://mbamantra.com/ci/userfiles/files/piwogopimasudid.pdfIn PDF document text
    • http://abwlanham.com/uploads/files/fufudubevolusupamip.pdfIn PDF document text
    • http://surveycook.com/upload/tmp/202109/file/14430755866.pdfIn PDF document text
    • http://intechsol.kz/wp-content/plugins/formcraft/file-upload/server/content/files/16139ff2c7f27a---51128126452.pdfIn PDF document text
    • https://aukshanya.promosing.com/alpha/ckfinder/userfiles/files/zisuropebiwugelemupa.pdfIn PDF document text
    • https://holcom-solar.com/webroot/img/files/rojufuredugefezivamazonax.pdfIn PDF document text
    • http://come2menorca.com/images/file/wetuloj.pdfIn PDF document text
    • https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/161454e8a85e4a---13311551148.pdfIn PDF document text
    • https://jbdclothiers.net/emailer/userfiles/file/xitafijuwurivoxelo.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=what+can+you+make+with+pumpkins+in+minecraftPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD9BF 17496 bytes
SHA-256: 15827b8e14afad6f30703b621691c08dd1077a6de46b971ab3d1e9bced22920c
font_01_sfnt_off00010748.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10748 11084 bytes
SHA-256: f984618bb34e7bf8b0db98abb9a2d69cd46b2b68860a34e97dc1d28489b6456e
font_02_sfnt_off0001210c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1210C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1