Malicious PDF — malware analysis report

Static analysis result for SHA-256 155270c9cf423b3b…

MALICIOUS

PDF

114.4 KB Created: 2021-07-08 08:18:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 5a8da8b8c8995615c448b379e01a9a10 SHA-1: 26203368c493b8e8d977d4ed3db3afbdd928a690 SHA-256: 155270c9cf423b3bf98957e50d2a7b4f917da3508636894bb8a8f1e859eda258
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was identified as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, directing users to multiple external URLs, some of which are hosted on compromised WordPress sites. The presence of numerous links and the use of SEO-related terms in URLs suggest an attempt to lure users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9666

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://drinkandshrink.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160a86a5c9cbaa---dililomave.pdf
    • http://xn--vb0b83rba554gca.kr/page_data/file/20210522093511.pdf
    • http://dsm-trhs68.com/clients/8/81/818e764d3414495a915a5f66638dc9bf/File/xujabazeranowaxujejimizef.pdf
    • http://trainternational.in/wp-content/plugins/formcraft/file-upload/server/content/files/16087ffed4d9db---71901797720.pdf
    • http://fresh-j.info/images/uploadedimages/file/29571403135.pdf
    • http://www.hypnotiseur.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c2ee7b64d6---nipifepe.pdf
    • http://wakingbeauty.com/wp-content/plugins/formcraft/file-upload/server/content/files/160858ee8081dd---zonugexigozepijitikowam.pdf
    • https://condicionamentofisico.com/arquivos/file/75816696327.pdf
    • http://www.icodar.com/wp-content/plugins/formcraft/file-upload/server/content/files/160df5a6d21d1f---tedoreluzefesitit.pdf
    • https://www.heracles-hotel.eu/wp-content/plugins/super-forms/uploads/php/files/ju4d1o8n7tn9sn57dgsjh7o0r3/15331875681.pdf
    • http://pvsystreports.com/wp-content/plugins/super-forms/uploads/php/files/uusafea518mh9fn7uverh2sct3/33772211216.pdf
    • https://xn-----6kcabagcgfjsxjciriy6alkh6a7aqk.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/b793438b1fb0f187654e58424a5c8177/kufagajezopebu.pdf
    • https://assurancemauricie.com/wp-content/plugins/formcraft/file-upload/server/content/files/16097187466a1e---26711339356.pdf
    • http://asalsold.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5b27974d31---dojasisewarifonubipedat.pdf
    • https://sailstudy.in/ckfinder/userfiles/files/juwijokiwewefeku.pdf
    • https://sancarspune.com/wp-content/plugins/super-forms/uploads/php/files/7085336f5d781683d16849e215adc3c3/puruto.pdf
    • http://thesecurityguardunion.ca/userfiles/files/64908177515.pdf
    • http://ahkjt.com/upfile/file/5166636295.pdf
    • http://www.barankayalar.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1606d5eed66713---80249299301.pdf
    • http://agendatourvietnam.com/hinhanh/file/juwavosuretibiduj.pdf
    • https://www.c2commercial.com/wp-content/plugins/super-forms/uploads/php/files/265edcd62c04a6a0d806c50c4581b36b/17187404006.pdf
    • http://banglatalkies.com/dynamic-images/cms/file/93696123758.pdf
    • http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fef150cda8---sevatiteridekogab.pdf
    • http://pinturasoltra.com/images/slider/files/puzamagumiwivibupu.pdf
    • http://www.saraviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607108dab6820---16207762065.pdf
    • http://intergeored.com/upload/File/visimixijezo.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=modern+construction+materials+in+civil+engineering+pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00014a8a.bin
8d29d2522d77bda494985b5a524e35b812915c2a3cab74ebb97a3bb69e84ee09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14A8A 11124 bytes
font_01_sfnt_off0001644b.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1644B 16792 bytes
font_02_sfnt_off00017c58.bin
75625b3b4ead3557f4539b85de0e7ac3be434496fb91fbbf18e756d7585d8bc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C58 4180 bytes
font_03_sfnt_off00018bc7.bin
ffbaf292b720e2242ad104f242f49ea0be110cfb9a4e6450910179e7db9fdf4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18BC7 18120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.