Malicious PDF — malware analysis report

Static analysis result for SHA-256 121693a07045a02d…

MALICIOUS

PDF

110.9 KB Created: 2021-07-01 09:28:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25
MD5: f7318df5435cf06dd566ab8f8340b8fa SHA-1: e2cd74bb95937cb79eecc30659e01643ab355943 SHA-256: 121693a07045a02d5d16b221a0aa6a87e18ec892255fe42220347d933b48efef
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected as a malicious PDF by ClamAV and an ML classifier. It contains numerous links pointing to compromised websites, specifically WordPress upload directories, suggesting a phishing or malware distribution scheme. The presence of these links indicates an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9756

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.brightfieldbusinesshub.co.uk/wp-content/plugins/super-forms/uploads/php/files/n8t29vrplpug1k8upl13juver8/xufududakopu.pdf In PDF document text
    • https://studio-september.com/wp-content/plugins/super-forms/uploads/php/files/e14cd07d1c2966cb1ff9811a9d37c365/pilakuworib.pdfIn PDF document text
    • http://74ahs.com/clients/2/2a/2a132ee8da0778863662fd4b1fa251ed/File/11454460118.pdfIn PDF document text
    • https://whitelightdesign.com/wp-content/plugins/super-forms/uploads/php/files/2aeabcc6f048eaabf8653fd5c77b5d0a/sebuzatapibegujaso.pdfIn PDF document text
    • http://goteneplast.se/files/images/file/xibadixur.pdfIn PDF document text
    • https://youstore21.com/wp-content/plugins/super-forms/uploads/php/files/a6cddbe1cfda655f618439f174f8a03b/belijixasuxidatubub.pdfIn PDF document text
    • https://wlao.on.ca/wp-content/plugins/super-forms/uploads/php/files/9615d244601de09781a74c18dfc7e8d0/80157126784.pdfIn PDF document text
    • https://damiel.eu/userfiles/file/salelezuzuzigipa.pdfIn PDF document text
    • http://prime-standard.com/piceditor/file/zelixij.pdfIn PDF document text
    • https://marblobaths.com/app/webroot/img/files/wukepufefu.pdfIn PDF document text
    • http://springswellness.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a017e258e35---91015725018.pdfIn PDF document text
    • http://ccswcd.com/userfiles/file/moxak.pdfIn PDF document text
    • https://newat.ru/wp-content/plugins/super-forms/uploads/php/files/25b9f67d3691e83a5029ad9e9d7e63bf/41548385188.pdfIn PDF document text
    • https://brylka-kfz.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b76aab8587f---jakivuvebovit.pdfIn PDF document text
    • http://mobydick-band.de/fckdata/file/geputanifo.pdfIn PDF document text
    • http://abacusnancy.com/userfiles/file/95616238120.pdfIn PDF document text
    • http://anatolianlgs.com/userfiles/file/79072489408.pdfIn PDF document text
    • http://www.deadclan.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c5ce578493e---somasasiburuwipazetekum.pdfIn PDF document text
    • http://www.britocunhaadvocacia.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/160774c40d6343---45091969163.pdfIn PDF document text
    • http://iwish-cosmetics.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081af1b0623b---87236796591.pdfIn PDF document text
    • https://www.hediyevideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aec74dd1c33---koluze.pdfIn PDF document text
    • http://amphorabeautyclub.com/campannas/file/89932202560.pdfIn PDF document text
    • https://yourlightingbrand.com/wp-content/plugins/super-forms/uploads/php/files/19d761df64b5f3b5ac269a1ec6789c41/koresaduv.pdfIn PDF document text
    • https://nutricionintravenosa.com/wp-content/plugins/super-forms/uploads/php/files/f889f6fde42ed54439bad35896e75a85/webibuvananoji.pdfIn PDF document text
    • https://divorcioconsensual.com.br/wp-content/plugins/super-forms/uploads/php/files/462aff157be30a5eae8434ceca90348b/vusetisus.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/Om9ozkHLxGw/uplcv?utm_term=meaning+of+reintroducedPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0001495c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1495C 18328 bytes
SHA-256: d9f5e66163d907df9b2c2f031b8906ab183602eda4757f3e8ef428a9cf922d60
font_00_sfnt_off0000dec1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDEC1 24532 bytes
SHA-256: a51e91f2187f0cb392d782665f795ced270356708bf4820dd7772ed3363610ae
font_01_sfnt_off00011960.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11960 10528 bytes
SHA-256: a377e2943a882da8b242d0f3775899f1cded3ec867d23032d45bd33068bba16b
font_02_sfnt_off0001314b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1314B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_04_sfnt_off000166f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x166F5 24756 bytes
SHA-256: 6996cdf3813191180446ec84f4efa16075cb42950d9081c085abf77baa828a87

Open this report in the interactive analyzer, or submit your own file for analysis.