Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b9a23f56cf46455…

MALICIOUS

PDF

67.9 KB Created: 2021-06-21 19:54:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e9a68ccc388f516f44f18cec35aad49e SHA-1: a0da9d778c95c01e7ea1ee4b983d8a65833cf2fb SHA-256: 0b9a23f56cf4645522d8fe9b15336ded6a526175a47d2dbf35412e79b94295fc
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The ML classifier and ClamAV detection strongly indicate malicious intent. The PDF contains numerous links to compromised WordPress sites, suggesting a link farm used for phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and URL patterns are consistent with malicious document lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://irmascaritasdejesus.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160ac31bf4a979---98093374516.pdf
    • https://www.adler-leitishofen.de/wp-content/plugins/formcraft/file-upload/server/content/files/16094616e70a81---texipuwuriverumusitivurox.pdf
    • http://cinstech-inspect-survey.com/fckeditor_userfiles/file/98630296394.pdf
    • https://pankalconstructora.com/wp-content/plugins/formcraft/file-upload/server/content/files/16075944096461---3479725091.pdf
    • http://www.absolutecateringla.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a8344ac8a07---petumuperu.pdf
    • http://anonelectronics.com/admin/fckeditor/editor/filemanager/connectors/php/upload_jpg/file/202104300133182728.pdf
    • https://agronlogistics.com/userfiles/files/96142197503.pdf
    • https://prosegik.com/wp-content/plugins/super-forms/uploads/php/files/6bbacd04a5ee30bc71a9b62193690d41/fobikujered.pdf
    • http://www.herbertvanderbrugghen.nl/draft/zetijagivovipetosa.pdf
    • http://caribsplash.org/wp-content/plugins/formcraft/file-upload/server/content/files/160aaf77edc3ea---ruwafibexit.pdf
    • https://jackyrouxmethode.com/userfiles/file/4989411885.pdf
    • https://ceadersvalet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a192427514b---fetuzupodebaje.pdf
    • http://sazjah.com/wp-content/plugins/formcraft/file-upload/server/content/files/16090f8b480ec8---pogasebadil.pdf
    • http://totalfinance.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160991a0db6ba6---13444024884.pdf
    • https://vizzzio.ru/wp-content/plugins/super-forms/uploads/php/files/39f95d274dea287a160d55c567bcdc4d/31173077607.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=sums+on+perimeter+and+area+for+class+5
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c9eb.bin
6442219713e8f10fc573beaeb1525450ddbd066f6a77bb6fb96463d759614299		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9EB 5528 bytes
font_01_sfnt_off0000dca2.bin
f45b9dea2ca971ac2401a5e7ada6c56222ced78c4f9af617059b2497f894e43d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDCA2 11280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.