Malicious PDF — malware analysis report

Static analysis result for SHA-256 03ccb94577076f59…

MALICIOUS

PDF

85.6 KB Created: 2021-08-13 21:29:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: fb4ee96c1d6f22ea44d568f88b16d71f SHA-1: a27fd19fb74d123ea4f01733cd4fc55d2f79eb4d SHA-256: 03ccb94577076f5953b47ce3417498302c0c16f3273460bbb46066e74907c4ac
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. It contains a link farm pointing to compromised websites and a deceptive download button, suggesting a phishing or malware distribution attempt. The presence of numerous external URIs and compromised CMS upload links further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9903

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.ibyservice.com/wp-content/plugins/super-forms/uploads/php/files/de589284d579a6a92c5c7530d5cd65a7/79684552090.pdf In PDF document text
    • http://dermaktif.com/imgup/file/bapajiwebonufebakunoke.pdfIn PDF document text
    • http://lbs.ac.at/wp-content/plugins/super-forms/uploads/php/files/a77m2d3cckcj0no5022706huk9/70511403855.pdfIn PDF document text
    • http://dharmapremipariwar.org/userfiles/file/96089309705.pdfIn PDF document text
    • https://www.rowtheerne.com/wp-content/plugins/super-forms/uploads/php/files/30d28f937feaba277a608f5aca6d28e0/nulavuzoritiwujirisabid.pdfIn PDF document text
    • http://dienlanhlongan.com/upload/files/33299623709.pdfIn PDF document text
    • http://studiolorenzoni.eu/userfiles/files/nuragaxigepogijuv.pdfIn PDF document text
    • https://nailseasupportgroup.com/wp-content/plugins/super-forms/uploads/php/files/472d009c86903b3cfdfff9dbd11137af/manuvelevagijeratugososa.pdfIn PDF document text
    • https://www.budgetskemaet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/160731fc0460cf---relofaf.pdfIn PDF document text
    • http://ipsgroupjjn.org/userfiles/file/loseverowidifo.pdfIn PDF document text
    • http://www.canadavisaservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/16082311f491b4---42645853773.pdfIn PDF document text
    • http://www.191seo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609a8c0abe508---60083280938.pdfIn PDF document text
    • http://www.hangmandigital.com/files/file/vukasezaxevodijawakurare.pdfIn PDF document text
    • https://www.servicioscalibrados.com/wp-content/plugins/super-forms/uploads/php/files/8b0503ad29609919ed2def3e1b54fdcc/gupijaguliloru.pdfIn PDF document text
    • http://www.annaleehuber.com/content_files/file/7462443255.pdfIn PDF document text
    • https://indiantalentjunction.com/milan/media/81178880186.pdfIn PDF document text
    • http://www.airportlimofortlauderdale.net/wp-content/plugins/formcraft/file-upload/server/content/files/160b73e4b86602---76067340579.pdfIn PDF document text
    • http://accurateverdicts.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5e887e0bf0---ruxidiwepagiwegojenifara.pdfIn PDF document text
    • http://vegasoft.hr/wp-content/plugins/formcraft/file-upload/server/content/files/1609d16d87961a---golevakemefiga.pdfIn PDF document text
    • https://www.stamfordtaxis.com/wp-content/plugins/super-forms/uploads/php/files/4uckiuinjms4ut6dgojkvrlij1/36219723919.pdfIn PDF document text
    • https://sanmall.ru/files/uploads/files/61385249331.pdfIn PDF document text
    • https://cffcommunications.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/160b249445baa9---pelafarilaw.pdfIn PDF document text
    • https://profbuhotchet.ru/wp-content/plugins/super-forms/uploads/php/files/d341b4abaa0b36cd49395a45a027cf69/77147223477.pdfIn PDF document text
    • https://orig-shop-gsm.ro/ckfinder/userfiles/files/65873788468.pdfIn PDF document text
    • https://puertoestereo.com/wp-content/plugins/super-forms/uploads/php/files/jbcla6amfrrvp9omgop9pqu08l/doxuzeravupevorijusibewat.pdfIn PDF document text
    • https://bibliotheque-des-arts.ch/ckfinder/userfiles/files/refixakukaz.pdfIn PDF document text
    • https://www.mercedesbenzofaustinservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084eefac062c---2571819747.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/PmAiG5ZyT-k/uplcv?utm_term=clinical+sports+medicine+5th+edition+pdf+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e472.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE472 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000fc84.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFC84 17944 bytes
SHA-256: a56067301f719f249ba00f25ae27e71a63a726b504575999a94797dc14de7ebf
font_02_sfnt_off00012b5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12B5F 11136 bytes
SHA-256: 5ebebbb8760c4abef179583f1b42a364dbc7fe47bfe717ae6d74dd8a73ba0982