Malicious PDF — malware analysis report

Static analysis result for SHA-256 16204c8c9253c077…

MALICIOUS

PDF

83.1 KB Created: 2021-09-05 10:01:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 51a9e4fa3a96edc429f80558c650f1a5 SHA-1: 683bb439e0c5058ab5c3857a8dc70b10ec86f4ae SHA-256: 16204c8c9253c077c84af2337c0f54c4a2f75009c0d39a7a1c2555c7c74bb3d5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating it functions as a link farm pointing to compromised WordPress uploads and disposable hosting. The embedded URLs, such as 'https://queure.ru/uplcv?utm_term=cedaw+myanmar+pdf', are likely used to redirect users to phishing sites or download further malware. No scripts were extracted, but the PDF structure and URL patterns strongly suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://queure.ru/uplcv?utm_term=cedaw+myanmar+pdf PDF link annotation
    • http://ghalemdi.com/userfiles/file/gotifosijomijaxaxane.pdfIn PDF document text
    • http://www.training4thefuture.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160e834b114fa8---64415262700.pdfIn PDF document text
    • https://pensionatiitalianiinportogallo.it/wp-content/plugins/super-forms/uploads/php/files/184bd21baa76d242f86a6b244458fc52/97840309066.pdfIn PDF document text
    • https://prana.video/wp-content/plugins/super-forms/uploads/php/files/uhsrivks8ll7m0j6tb2mh7hs6d/12646548106.pdfIn PDF document text
    • http://asesoriagarpe.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aad2b15417e---kutubinigizuvut.pdfIn PDF document text
    • https://intelean.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7e4dc6b8dd---80264090013.pdfIn PDF document text
    • https://whitesal.com/data/images/file/9142_20210628004946.pdfIn PDF document text
    • https://fellowpeo.com/wp-content/plugins/super-forms/uploads/php/files/03cbb0f2f059fc8884596f3552809cdc/guwulobonixobemoxex.pdfIn PDF document text
    • http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/fp00pl6oesdfu0fge3h8oh0ij2/sasuwagatebigurasuwef.pdfIn PDF document text
    • https://unserbiokorb.ch/userfiles/file/wosuvidamip.pdfIn PDF document text
    • https://www.llgnjinc.com/wp-content/plugins/super-forms/uploads/php/files/e9567e7731c8c2c846f12b397f54f80e/verebejiwosogoselo.pdfIn PDF document text
    • http://coreaad.com/DreamDataUpload/file/xamabujuwejivufufotumizix.pdfIn PDF document text
    • http://bluedevils59.com/clients/862365/File/97928436245.pdfIn PDF document text
    • http://ukwoodrecycling.com/userfiles/files/motofidananorifewemi.pdfIn PDF document text
    • http://nyett.hk/uploads/news/files/24174027477.pdfIn PDF document text
    • http://afgventuregroup.com/cfiles/file/xugowosemo.pdfIn PDF document text
    • https://jxloanchien.com/style/postimage/file/kuzupitinowojawinetogaza.pdfIn PDF document text
    • https://cvenhancer.com/wp-content/plugins/super-forms/uploads/php/files/56a625a3531bb5228a7662a619e986ae/20409191993.pdfIn PDF document text
    • https://www.chauffeur-prive-nice.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1607c8e6fd8b4a---65537273388.pdfIn PDF document text
    • http://www.beverburcht.nl/upload/files/20530162760.pdfIn PDF document text
    • https://gsm.company/ckfinder/userfiles/files/veruzuxidupujininuwa.pdfIn PDF document text
    • http://sts-logistika.ru/wp-content/plugins/super-forms/uploads/php/files/09f88fbbe995283a0689cb6560d6f0fa/vivenujivetukanogimavef.pdfIn PDF document text
    • http://www.microsinusectomi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607723460face---51895523962.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e1a5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE1A5 17864 bytes
SHA-256: dda8a5a9713d46a9384776ed453dfc66eab95ea235a527dcfeffdcfb0cb7d6b9
font_01_sfnt_off00010f98.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F98 10364 bytes
SHA-256: 89e9795611168d5eb92e40df0be9d6b93e9a0deb9bc4343c4d6f47504e5d6c39
font_02_sfnt_off00012702.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12702 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1