Malicious PDF — malware analysis report

Static analysis result for SHA-256 071c7d8718368e6e…

MALICIOUS

PDF

87.7 KB Created: 2021-09-02 06:56:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: f8bf97e4d714454ce3f9324c5ff2e93f SHA-1: 27837443de1e0a2618f1d1c491062c567d66943b SHA-256: 071c7d8718368e6e542bb50998058a41f9684de78527eea730f5af7527bf4f0e
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier indicating a high probability of maliciousness. It functions as a link farm, containing numerous embedded URLs that point to compromised CMS uploads and other potentially malicious PDF files. The presence of a 'download' button lure further suggests an attempt to trick the user into interacting with malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9919

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://opuntia.eu/wp-content/plugins/super-forms/uploads/php/files/85ef2006fc0134aa12e570d59602252a/jonavex.pdf In PDF document text
    • http://pololanna.com/user_img/files/77611377006.pdfIn PDF document text
    • https://chataigne-cevennes.fr/imgs/files/latowi.pdfIn PDF document text
    • http://safarekhoob.ir/basefile/safarekhoobir/files/napisobejuvejekixanije.pdfIn PDF document text
    • http://phanphoiongnhuahoasen.vn/upload/files/vefifere.pdfIn PDF document text
    • https://noriupapildu.lt/ckfinder/userfiles/files/34222824352.pdfIn PDF document text
    • http://rybarict.cz/webpagebuilder/ckfinder/userfiles/files/kijitabuza.pdfIn PDF document text
    • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/f35ca46c4599df7656743d37c64c5d31/21145843643.pdfIn PDF document text
    • http://www.mediacomriccione.it/wp-content/plugins/formcraft/file-upload/server/content/files/1608058ce58920---notivaletixemese.pdfIn PDF document text
    • http://rilta.net/userfiles/files/juraf.pdfIn PDF document text
    • http://halongbaycruises.org/upload/files/62769129100.pdfIn PDF document text
    • https://www.couleurs-et-jardin.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16087e850a9901---14880665824.pdfIn PDF document text
    • https://www.sahabatkeluargahomecare.com/wp-content/plugins/formcraft/file-upload/server/content/files/160da7cfe584e7---70657550874.pdfIn PDF document text
    • http://www.nanodrywash.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a45ec9df189---tujisudunelulo.pdfIn PDF document text
    • http://meuble-tunisie.com/userfiles/file/nivojesomubikepasakagak.pdfIn PDF document text
    • https://ambientltg.com/wp-content/plugins/super-forms/uploads/php/files/db742373607d3724c88125abf3d37c24/77987875476.pdfIn PDF document text
    • http://tomnhenryanderson.com/clients/8/8a/8a1068334c160bb49438aafe8043afff/File/3309035469.pdfIn PDF document text
    • http://hagelkonzept.de/userfiles/file/37427012312.pdfIn PDF document text
    • https://mundolibre.cl/uploads/userfiles/files/53234302090.pdfIn PDF document text
    • http://autoneza.cz/UserFiles/File/rabujadapodaxivimoxujiro.pdfIn PDF document text
    • http://chelseacarpet.com/ckfinder/userfiles/uploads/82285592484.pdfIn PDF document text
    • http://tortsurprise.ru/upload/redactor/files/nidawagokobaw.pdfIn PDF document text
    • http://topopentertainment.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be6ba51fa62---losupajuzamofewegelusode.pdfIn PDF document text
    • http://spearsyounglegacy.com/clients/b/b2/b2c23f164518415ec8f3c1c8d0af542d/File/nusokusadibuxunizewumaliv.pdfIn PDF document text
    • http://barcelonasixtytwo.com/userfiles/file/86889969734.pdfIn PDF document text
    • http://studioassociatoemc.com/userfiles/files/52530365427.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=project+timeline+infographic+templatePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee57.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE57 10892 bytes
SHA-256: df6baeee67852af585acaa34a05023d4ba393cd0c7d5a7dc638cc4c3805d2ed2
font_01_sfnt_off00010748.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10748 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00011f5a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11F5A 19204 bytes
SHA-256: f36316c83b57249b5bc91e34b723a049381cf06dc3789d9579b7851bc2d03926