Malicious PDF — malware analysis report

Static analysis result for SHA-256 030b7c2723b217a2…

MALICIOUS

PDF

95.1 KB Created: 2021-06-26 15:42:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20
MD5: 3b5419d92dabd2744973b5f052c21900 SHA-1: 3c3a2dc42533c339bed41af542346c55e3d5f626 SHA-256: 030b7c2723b217a2991f2e3cdd76d9e22c1a5adbbca853d5a214b70f27b45dc1
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF was flagged by ClamAV as 'Pdf.Phishing.Trojan' and an ML classifier indicated a high probability of maliciousness. It contains numerous links, many pointing to compromised WordPress upload directories, suggesting a phishing or malware distribution scheme. The document body is heavily obfuscated and unreadable, providing no direct clues to its intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://penzionriverside.cz/files/file/zexejinorapinin.pdf In PDF document text
    • https://chicagoportablexray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b3f70033518---62393683821.pdfIn PDF document text
    • http://alnadaoil.com/userfiles/file/6778743734.pdfIn PDF document text
    • http://www.jindatunnel.com/up_files/file/48333126940.pdfIn PDF document text
    • https://ppuhperspektywa.pl/files/edytor/file/lonafigidewiwene.pdfIn PDF document text
    • http://careerhack.net/wp-content/plugins/formcraft/file-upload/server/content/files/1606c97d8dc8f6---68038335573.pdfIn PDF document text
    • http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/160794c254d53a---vubuj.pdfIn PDF document text
    • https://www.fmworks.com.tr/wp-content/plugins/super-forms/uploads/php/files/11ob0d2utgcgiph2fj2tge081u/gevolidi.pdfIn PDF document text
    • https://m-co.de/wp-content/plugins/super-forms/uploads/php/files/v0sk6dal3p8vatdotv3bs3jl55/veloxufoxajuxok.pdfIn PDF document text
    • https://jennysbooks.com/wp-content/plugins/super-forms/uploads/php/files/386b35e1745eec426e15fd95b1c9adf6/nunavedenonuzixe.pdfIn PDF document text
    • https://glass-haus.ru/wp-content/plugins/super-forms/uploads/php/files/c0651533a959833866725438df3a08bc/38699372834.pdfIn PDF document text
    • https://diversified-nj.com/wp-content/plugins/super-forms/uploads/php/files/0f84f4f1324e03607ca872afc8da2672/mowovozowadiv.pdfIn PDF document text
    • http://www.alquilerbares.com.ar/wp-content/plugins/formcraft/file-upload/server/content/files/160726812213fc---lukedaxijozipogibolan.pdfIn PDF document text
    • https://baohohoanglong.com/userfiles/file/kalas.pdfIn PDF document text
    • http://taiwanglassgroup.cn/userfiles/file/50104176609.pdfIn PDF document text
    • http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/nkuceejc9sbm0gdcpi5856kdm0/lojivoxati.pdfIn PDF document text
    • http://wphs69.com/clients/1/13/13dd0a1135c99f886ff4006aa3c820ba/File/zetamodavazotar.pdfIn PDF document text
    • https://nscs.org/wp-content/plugins/super-forms/uploads/php/files/5dbcefdeeaed826c05487d75ce537b95/tovixax.pdfIn PDF document text
    • http://thuexedanang247.com/uploads/image/files/jezeniraz.pdfIn PDF document text
    • https://www.lesson-online.org/wp-content/plugins/super-forms/uploads/php/files/ehfsmjbmp16jhn71p4e87mm0m1/79554035368.pdfIn PDF document text
    • https://gtsonline.nl/wp-content/plugins/super-forms/uploads/php/files/b3jgvonrnpdijakokdal9qaaot/muvad.pdfIn PDF document text
    • https://sirikulsteel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3ffe314894---80396263139.pdfIn PDF document text
    • http://baugeraeteverleih.de/benutzerdateien/1839203653.pdfIn PDF document text
    • https://turismoporsantander.com/aym_image/files/80090350792.pdfIn PDF document text
    • http://asckhn.com/acskhn/userfiles/file/61882716854.pdfIn PDF document text
    • http://vilaportugal.com/wp-content/plugins/formcraft/file-upload/server/content/files/160727e7436877---lirutokaxuv.pdfIn PDF document text
    • https://prtl.pl/userfiles/file/77972943919.pdfIn PDF document text
    • https://xn--80adj7cxa.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/93449c5c1166a7c70744cf88d3d75807/xixinojavesebevixoba.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=protagonist+in+the+hitchhiker%27s+guide+to+the+galaxyPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f65e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF65E 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010e70.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E70 18004 bytes
SHA-256: 2e2c0eb58e5ba1b256457f8059305fdecb35b38870cf9164e020ad2961952185
font_02_sfnt_off00013c99.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C99 16632 bytes
SHA-256: e896d0c9c6509c93731645541c0836c845742b74f7fde2e8ff5e94baacc6a6a0
font_03_sfnt_off0001542b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1542B 11092 bytes
SHA-256: a0274ef5a3d77b30bc9428ddb19d083f38cb9b1b05cda031898f099f17fcd383