Malicious PDF — malware analysis report

Static analysis result for SHA-256 0db27959f7a2c359…

MALICIOUS

PDF

109.1 KB Created: 2021-09-16 08:57:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 31282959eb484eb135e9caba7ede7837 SHA-1: 4faf7ac5c29fda8fcf3518cbcbd1e99331c6db36 SHA-256: 0db27959f7a2c3598095515ddfa7fefeef8a68c6ee4b95723d4d4a9249d185e7
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is a common technique for initiating malicious actions. The presence of multiple heuristics related to link farms and compromised CMS uploads, along with numerous unknown-reputation URLs pointing to PDF files, strongly suggests a phishing or malware distribution scheme. The ClamAV detection further corroborates the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tenekedjieva.com/uploads/file/8423060414.pdf
    • http://ros-grad.ru/fck_editor_files/files/47708344771.pdf
    • https://goacetours.com/ckfinder/userfiles/files/73348822740.pdf
    • http://yuqiaohome.com/uploads/files/202109160002255321.pdf
    • https://yenhuy.vn/upload/files/21678625145.pdf
    • http://kingbikeonline.com/images/upload/File/sesazimuluranakogor.pdf
    • http://xn-----6kcaheblih5ab0a6afqbzoqe.xn--p1ai/ckfinder/userfiles/files/85524047808.pdf
    • https://cargobull.cz/res/file/fetuxolikuzojiginuwoxeli.pdf
    • https://hophamthaibinh.com/upload/files/nejun.pdf
    • http://lovesushiscv.com/uploads/files/88566305769.pdf
    • https://centrumschoolka.pl/photos/file/vesukixebuvowu.pdf
    • https://www.revistadefiesta.com/wp-content/plugins/formcraft/file-upload/server/content/files/161376041d3bba---44447186232.pdf
    • http://ferrocom-spb.ru/userfiles/files/mopubelowowulemokufat.pdf
    • http://aydinservis.com/ckfinder/userfiles/files/lupepinapikofaxiruvatel.pdf
    • https://hacunamatata.ru/wp-content/plugins/super-forms/uploads/php/files/d62dd4a36b82555b405d9e365a8de3ba/92314198834.pdf
    • http://tanabuauto.com/js/upload/files/filenepodano.pdf
    • https://alutat.com/data/file/30685136022.pdf
    • https://cafesca.org/ckfinder/userfiles/files/bojukipulufitudevoxomonix.pdf
    • http://proallprint.com/userfiles/files/kowoxef.pdf
    • http://agecarekorea.com/ckupload/files/sefebuxupo.pdf
    • http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/16138e90f4f394---vowewaf.pdf
    • http://musicandyouapp.com/webupload/editorimg/files/sojigamowotarejebeduluw.pdf
    • http://mamnonkitty.com/webroot/img/posts/files/boxafexapo.pdf
    • https://reformedgeneration.com/userfiles/file/wanufotusagasek.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BkSY9tpko7c/uplcv?utm_term=final+fantasy+vi+psp
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000145b6.bin
1212ff563cc939804c97540b8542ad31513ee4a08f83951d1e355c32cef8b68e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x145B6 19572 bytes
font_01_sfnt_off0001787a.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1787A 16792 bytes
font_02_sfnt_off00019091.bin
30ccbdd00c0e1f7ea18d8b7fbbc8e7466ccdfd3fd0621de9b91caf682470724a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19091 10156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.