Malicious PDF — malware analysis report

Static analysis result for SHA-256 1798410dd10bd32a…

MALICIOUS

PDF

214.3 KB Created: 2021-07-20 00:15:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: b284fb7291bb3c6a25a52ebacf545a67 SHA-1: aae069ac1cfef9207fed6719c8ce24f9219c7f87 SHA-256: 1798410dd10bd32a096ef2d2427536835fca1de9446138fc48de7a2b74a9a847
174 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing attempt. It contains a link farm pointing to compromised WordPress upload storage, likely serving as a lure for users to download further malicious content. The presence of external URIs and a high-risk ML score supports the phishing classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9800

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/2f43371238996017c84f2918af9f0e7d/89926744179.pdf In PDF document text
    • http://cbelmira.com/wp-content/plugins/super-forms/uploads/php/files/rfocioqsf7j2hf0rh64v8770v1/modisajivimideratezexexo.pdfIn PDF document text
    • https://sipsib.ru/wp-content/plugins/super-forms/uploads/php/files/69c05b6e7d16b7c5aecc54abd86ba7ea/xatelinefudidekij.pdfIn PDF document text
    • https://nowackleverkusen.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b7c056d9e6a---babajil.pdfIn PDF document text
    • https://mecaniquekd.ca/upload/file/94001946479.pdfIn PDF document text
    • https://www.capitalroofingct.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c4de39ad569---37145470553.pdfIn PDF document text
    • http://anvlaw.com/userfiles/file/91435099879.pdfIn PDF document text
    • http://saxonrt.hu/img/userfiles/files/pumafimudepirafawezuxo.pdfIn PDF document text
    • http://www.ddd-iasi.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160f47127720b6---nogelefogomozemarumugug.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b57487aa66f---88441846422.pdfIn PDF document text
    • http://pileshoppen.dk/userfiles/file/77378656158.pdfIn PDF document text
    • https://www.prowallpanama.com/wp-content/plugins/super-forms/uploads/php/files/fccea371fa114d27ab68b2f22dd56d2a/sazeluvaguvigub.pdfIn PDF document text
    • http://dok-vo.ru/userfiles/file/karisasu.pdfIn PDF document text
    • http://begemot-rus.com/uploadfiles/file/2021050303092673499.pdfIn PDF document text
    • http://wskinbody.com/data/boardData/files/fowamatizugob.pdfIn PDF document text
    • http://www.risingstars.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160ee2e3a38ab2---redegemepu.pdfIn PDF document text
    • http://adoriantarla.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160b5c55d646ca---26313801553.pdfIn PDF document text
    • https://www.ferienhof-schneider.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a99f8648534---9343200350.pdfIn PDF document text
    • http://www.socalgreatwhite.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608aeb3fbb024---sajesos.pdfIn PDF document text
    • https://lisacutler.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7b2f75a41c---jibuxusaniwerujalesaxow.pdfIn PDF document text
    • http://www.playerclub.ro/wp-content/plugins/formcraft/file-upload/server/content/files/160bcf43b2d973---39048419169.pdfIn PDF document text
    • http://wilkinsconnection.com/clients/9/94/94ba1e7d864c5c8af3bb481f5f9f31de/File/79797322999.pdfIn PDF document text
    • https://www.numberoneporthill.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608de66e1a279---18297105023.pdfIn PDF document text
    • https://useoneconvo.com/wp-content/plugins/super-forms/uploads/php/files/07cc752383cfc7e3a913f43c87a9cc2c/rozewarowisaviwevumizaw.pdfIn PDF document text
    • http://barudan.hk/UploadFile/file/20210527045050958.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/DOqCt-cVA4I/uplcv?utm_term=neven+maguire+sherry+triflePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002e803.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E803 19100 bytes
SHA-256: ab80701f5077954fb4da0306df6cde5c762fe4753c64b980a8cc7890122e0f8b
font_01_sfnt_off000319f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319F7 10800 bytes
SHA-256: ffb13953276aa4da7c7986f76fd5286106d5e1dc1a7d7d02f08426374f86927e
font_02_sfnt_off000332ab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x332AB 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.