Malicious PDF — malware analysis report

Static analysis result for SHA-256 119d51cc23dc5ef6…

MALICIOUS

PDF

89.1 KB Created: 2021-09-06 01:16:18 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: a8c319d81ba52a9285a6656fd59d55a1 SHA-1: 4c21f86bd1987f05d4bc0b4fe506380468ef5906 SHA-256: 119d51cc23dc5ef684484ccbb75690bebfc32942e732abb610b402c0102347e5
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript, a common technique for executing malicious code within PDFs. It also features numerous links pointing to compromised WordPress sites, suggesting a phishing or malware distribution campaign. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or delivering a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9835

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://earthideasawnings.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609d470faa830---lapeta.pdf In PDF document text
    • http://motoren-adachi.com/js/upload/files/tijumoverurosej.pdfIn PDF document text
    • http://sparan-art.ru/ckfinder/userfiles/files/74136400064.pdfIn PDF document text
    • https://www.limratechnologies.net/wp-content/plugins/formcraft/file-upload/server/content/files/160b2fcd2452da---kubafasedebajizukapovis.pdfIn PDF document text
    • https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/56da53544d2e34e0a400918fd23c321c/1391463100.pdfIn PDF document text
    • http://pnmanagementsolutions.in/uploads/10745217630.pdfIn PDF document text
    • http://nek.ua/wp-content/plugins/formcraft/file-upload/server/content/files/16072aa9539301---68082207322.pdfIn PDF document text
    • https://nuregio.de/wp-content/plugins/formcraft/file-upload/server/content/files/160cb2cf0e8615---10945651586.pdfIn PDF document text
    • https://jodhpurtravels.com/nbloom/fckuploads/file/73158748746.pdfIn PDF document text
    • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608cd0ccae935---43776238664.pdfIn PDF document text
    • http://anhuishangbiao.com/upload_fck/file/2021-8-18/20210818171651772964.pdfIn PDF document text
    • http://www.ciesol.com/ckfinder/userfiles/files/59270222380.pdfIn PDF document text
    • https://cedarcreeksauce.com/wp-content/plugins/super-forms/uploads/php/files/dd243174ec36f3aea8e403743f9ffeac/64047581399.pdfIn PDF document text
    • https://anne-berger.de/sites/anne-berger.de/files/fkcfile/rusuwazadazakepetalejuja.pdfIn PDF document text
    • http://shinserviceodi.ru/wp-content/plugins/super-forms/uploads/php/files/af2d6803934429890f29fa785ea6e861/watezawezipatotu.pdfIn PDF document text
    • http://kapsalonvogue.nl/files/file/sufipumedij.pdfIn PDF document text
    • http://trunglam.vn/uploads/userfiles/file/fifezaz.pdfIn PDF document text
    • http://fsanaq.com/upload/file/210719142654766252r3gc9326my8g.pdfIn PDF document text
    • http://mspchicagolaw.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/86551494767.pdfIn PDF document text
    • https://nuevocoach.co.uk/wp-content/plugins/super-forms/uploads/php/files/bb1c7f24989e916fc49060cb9a33181c/98104542359.pdfIn PDF document text
    • https://ifacemount.com/wp-content/plugins/super-forms/uploads/php/files/c3nklv182dbflsp1iha36iecq5/jupixezizufovevilakuri.pdfIn PDF document text
    • https://almondzwealth.com/administrator/imagetemp/file/36135498849.pdfIn PDF document text
    • http://polkovnik.su/upload/file/wokakaxazamajoligedife.pdfIn PDF document text
    • http://kaufdeinauto.de/wp-content/plugins/formcraft/file-upload/server/content/files/160f066d012401---42000808248.pdfIn PDF document text
    • https://alate.org/admin/fckeditor/editorfile/dobemodafivejifiso.pdfIn PDF document text
    • http://julianina.dk/upload/file/sozamiposezexoraxa.pdfIn PDF document text
    • https://przyklejki.pl/userfiles/xamigigiguzavigiful.pdfIn PDF document text
    • https://catherinehourihan.art/wp-content/plugins/super-forms/uploads/php/files/24fdcb3f48f41b2d80ea0c1edfa91410/bojomexaxobon.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/zMnd8XtcwSM/uplcv?utm_term=bardwell+f4+manual+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f691.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF691 18628 bytes
SHA-256: 43e1f3e4ffc19094fc7f36cf644dca185a69024a1f3d81a4018b89185066bf5b
font_01_sfnt_off000126b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x126B3 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00013eca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13ECA 10496 bytes
SHA-256: e156d4abd2dc377f08736b135344e1aaee2fec4dbf47413635f6690c051f4ccf

Open this report in the interactive analyzer, or submit your own file for analysis.