Malicious PDF — malware analysis report

Static analysis result for SHA-256 144e4086a4f7236c…

MALICIOUS

PDF

98.1 KB Created: 2021-09-05 17:18:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 6cb01295cf70d641814c4b7fa09382f4 SHA-1: b42ff6ba2f97423b758c23bc45ae66bdd4acb135 SHA-256: 144e4086a4f7236c7783e50b316ef024085c78e8288dbc7634fdcf7957547565
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links, many pointing to compromised CMS uploads and disposable hosting, suggesting a link farm designed to redirect users to malicious sites. No scripts were extracted, but the presence of multiple external URIs and the overall structure strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jgbt.us/pds/userfiles/files/39920492102.pdf In PDF document text
    • https://queensflower.nl/clientfiles/80392095678.pdfIn PDF document text
    • http://katachizu.com/img/news/files/funobatijimi.pdfIn PDF document text
    • http://odessawa.com/userfiles/file/tofukoko.pdfIn PDF document text
    • http://studiotipaldo.com/userfiles/files/xubeminekaf.pdfIn PDF document text
    • https://foundryindia.org/userfiles/file/38907660635.pdfIn PDF document text
    • https://bharatiyabhashaparishad.org/ckfinder/userfiles/files/71471743631.pdfIn PDF document text
    • http://budohurtsa.pl/userfiles/file/4916257945.pdfIn PDF document text
    • https://ksi-system.pl/editorfiles/file/52554946146.pdfIn PDF document text
    • http://reclaimsplus.com/wp-content/plugins/super-forms/uploads/php/files/e017297118d211e42e59ed7a0bd54f57/76842501019.pdfIn PDF document text
    • https://harpethvalleypto.org/wp-content/plugins/super-forms/uploads/php/files/e5e97325c194ce0be40f24402a4e9104/67835218160.pdfIn PDF document text
    • https://joebalogh.ro/imagini_ws/fobixulibu.pdfIn PDF document text
    • https://atlasautoglass.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e99002dcaf---84270173332.pdfIn PDF document text
    • https://www.expoagrogto.com/wp-content/plugins/super-forms/uploads/php/files/28317e07630d3b0398484b96815f9ead/56978860153.pdfIn PDF document text
    • https://www.karenlovelee.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d66c14443c5---fajusab.pdfIn PDF document text
    • https://vestol.bg/files/file/26931997737.pdfIn PDF document text
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/663d6ce6ed8670305f931713b43e3bfd/filinoni.pdfIn PDF document text
    • http://dhf-china.com/d/files/17606731125.pdfIn PDF document text
    • https://www.mozartcantat.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16075af3e2bf7a---somijitunokugamotijozeni.pdfIn PDF document text
    • https://www.hermanosvalerorecio.com//ckfinder/userfiles/files/wadetixemuridubiwimana.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/S30rS-6n6vg/uplcv?utm_term=countess+of+chester+hospital+map+pdfPDF link annotation
    • https://bxthirteen.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/e57acafea7894174cc83c75d098a5e3a/18028857782.pdfIn PDF document text
    • http://kioskcondoweb.wpengine.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607146cb17a31---77665839033.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011537.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11537 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00012d49.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12D49 19648 bytes
SHA-256: 34d4810186c320842986be14e1698117d8de01e4194cbafbbc38b381fe44c07b
font_02_sfnt_off0001611b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1611B 11016 bytes
SHA-256: 0b6f69aa18c889964caece5e1c317dac6337316b59bf8f4fa79981cc8768f0e9

Open this report in the interactive analyzer, or submit your own file for analysis.