Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e37a18568658360…

MALICIOUS

PDF

82.4 KB Created: 2021-07-17 06:18:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 28b9e4f1a01311f23ad60d98830b77e9 SHA-1: f68a9d84efadc954073ecb3dab58e76bcb421b89 SHA-256: 0e37a18568658360a7fc02311e1588ef7b7dfaaaeb834b1d92a3a4a712dcadaf
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript, indicating an attempt to execute malicious code within the PDF viewer. It also features a link farm pointing to compromised WordPress upload storage, suggesting a distribution mechanism for further malicious content. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9833

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.ogblfrontaliers.fr/wp-content/plugins/super-forms/uploads/php/files/1hm7uv7e1kehgcr6f6qln0v0qh/60804155536.pdf In PDF document text
    • http://rybarict.cz/webpagebuilder/ckfinder/userfiles/files/20512161048.pdfIn PDF document text
    • https://xn--i1aam8cb.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/eb99f09e561e270d33232b253d26300c/40151876264.pdfIn PDF document text
    • https://patc.fr/imagesfile/33637109164.pdfIn PDF document text
    • http://demkapi.com/resimler/files/47955552340.pdfIn PDF document text
    • https://www.lightingsolutionsal.com/wp-content/plugins/super-forms/uploads/php/files/99716d7b3361e840c2d157e8e65caeca/74789009849.pdfIn PDF document text
    • https://kogan-photo.ru/wp-content/plugins/super-forms/uploads/php/files/5be922260e430d2e054fdc9a04b88f15/vokirelosamesavekukijoson.pdfIn PDF document text
    • http://www.davidwoodpersonnel.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab9df98d9c7---65770298616.pdfIn PDF document text
    • http://writtenmail.com/upload_images/file/56274210000.pdfIn PDF document text
    • http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d4a4ce9dabf---bimifugupuxepuxafovezo.pdfIn PDF document text
    • https://study-go.info/wp-content/plugins/super-forms/uploads/php/files/ab2659af22fbf141f4760821a2ca4d3a/18263456737.pdfIn PDF document text
    • https://sonarmusic.hu/up_image/file/jizanabobudu.pdfIn PDF document text
    • http://www.grupohk.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160c96a7e8494e---48801631757.pdfIn PDF document text
    • https://shopinhome.com/ci/userfiles/files/7934124716.pdfIn PDF document text
    • http://carrasvilla.es/uploads/files/jaboponeninuzoresub.pdfIn PDF document text
    • http://classiccar-jp.com/js/upload/files/62185737590.pdfIn PDF document text
    • http://4grd.com/cmsimages/file/fagokuxibod.pdfIn PDF document text
    • http://duancanhotot.com/upload/files/redozekawubewef.pdfIn PDF document text
    • http://optykglowacki.pl/obrazki/files/9703887276.pdfIn PDF document text
    • https://www.ideaklinikbakirkoy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608174b6a25e9---lataje.pdfIn PDF document text
    • http://constantemails.com/userfiles/file/162617468732484446039.pdfIn PDF document text
    • https://www.inkfactory.pk/wp-content/plugins/formcraft/file-upload/server/content/files/160afd5485be63---vagofupusuzofizibatilanim.pdfIn PDF document text
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/doa3v3koga1fs3hpli5u06bms1/xaliwiritexisoromitepenot.pdfIn PDF document text
    • https://advancedcheckcashadvance.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ba3f032145d---zifumifem.pdfIn PDF document text
    • https://atlastoursntravels.com/userfiles/file/49203553421.pdfIn PDF document text
    • https://www.litesourcenc.com/wp-content/plugins/super-forms/uploads/php/files/03767ed06af3eb5c607746ce365eb134/54924504425.pdfIn PDF document text
    • http://topopentertainment.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a115fa08bc7---87127707268.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3CAf4wW3hvY/uplcv?utm_term=number+theory+pdf+booksPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de5c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE5C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000f673.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF673 10780 bytes
SHA-256: 950443c2d633b964d8b77f7ac18c05aa3659b59fc11b9221f2477a9d81909585
font_02_sfnt_off00010f1b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F1B 16920 bytes
SHA-256: 41f835255dfa8caaa43b130a2f56f6a29585a7629d1f537b14bab398bd9c8523

Open this report in the interactive analyzer, or submit your own file for analysis.