Malicious PDF — malware analysis report

Static analysis result for SHA-256 17a3ab70e81fa5e3…

MALICIOUS

PDF

87.6 KB Created: 2021-07-07 19:22:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: 087e3cdc4805dfaa443c6e28645b0367 SHA-1: afc310a4809a1c46313bdfe643c7a27530dbb0fa SHA-256: 17a3ab70e81fa5e37446ae1756b652d21bb04f06e488b2b6891838c9179b56a5
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document detected as malicious by ClamAV and an ML classifier. It contains a link farm pointing to compromised WordPress upload storage, suggesting it's part of a phishing or scam campaign. The document body, though truncated, indicates a callback lure, prompting users to call a number for fake issues. No scripts were extracted, but the presence of embedded URLs and the nature of the heuristics strongly suggest a phishing attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amfmeg.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606f5b841a01c---wizuduzixitutipisumaxi.pdf In PDF document text
    • https://baobihungphu.com/media/ftp/file/kejalujilubitumamuf.pdfIn PDF document text
    • http://hondaotohaiphong.vn/upload/files/64565641891.pdfIn PDF document text
    • http://remproekt-m.ru/admin/ckfinder/userfiles/files/11448354331.pdfIn PDF document text
    • http://mesotects.com/wp-content/plugins/formcraft/file-upload/server/content/files/16084c115e6c84---25783783994.pdfIn PDF document text
    • https://www.bountyvacation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c73c7b509e4---bonidek.pdfIn PDF document text
    • http://aceranalitik.com/ckfinder/userfiles/files/44677480792.pdfIn PDF document text
    • https://pluviaterra.mx/wp-content/plugins/super-forms/uploads/php/files/3b601cbc462e23a4265931f3bf6a2047/dumagosunugufer.pdfIn PDF document text
    • http://www.tsssport.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b2d07548f1---23556614126.pdfIn PDF document text
    • http://mattstergamer.com/wp-content/plugins/super-forms/uploads/php/files/bda0ockh5kpfv10vepip0tsuqp/14053333371.pdfIn PDF document text
    • http://rilta.net/userfiles/files/bifonogutexo.pdfIn PDF document text
    • https://kme.pl/global/app/webroot/uploads/file/16253206352689.pdfIn PDF document text
    • http://shqinze.net/admin/upimg/file///29065515993.pdfIn PDF document text
    • https://adbadog.com/wp-content/plugins/super-forms/uploads/php/files/d149df9fefec9c993f72f003c522d5d6/kezimivakobirisos.pdfIn PDF document text
    • http://pansophers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a9a302aa17f---10023531398.pdfIn PDF document text
    • https://www.spreefahrten-berlin.de/wp-content/plugins/super-forms/uploads/php/files/484p4vjb48pcsfdk8005mj2nbe/37058610204.pdfIn PDF document text
    • https://kindliving.org/wp-content/plugins/super-forms/uploads/php/files/tmp/20631167913.pdfIn PDF document text
    • https://global-brand.net/userfiles/files/46256237880.pdfIn PDF document text
    • https://www.mii.net/wp-content/plugins/super-forms/uploads/php/files/6151673c80a3e18670d932c3ca8b4fa9/37394594966.pdfIn PDF document text
    • https://yuss.it/file/5703035251.pdfIn PDF document text
    • https://www.denisonlandscaping.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092deca5d0a3---94326911595.pdfIn PDF document text
    • http://accessiblevehicleservices.com/userfiles/file/77480952698.pdfIn PDF document text
    • http://drukarnia-skawina.pl/app/webroot/media/files/melidenibapomivarugijana.pdfIn PDF document text
    • https://bettenbaehren.de/wp-content/plugins/formcraft/file-upload/server/content/files/160d19d5d0cf22---ginasewuboxikukewovosij.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=we+have+different+gifts+according+to+the+grace+given+usPDF link annotation
    • http://lovewhereyoulv.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/b3ab0e4b347c5349674cd13bb26f515e/76304041562.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000efd2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEFD2 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off000107e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x107E4 17448 bytes
SHA-256: 1b7a0a41019fa047c0890492b76e2a1e5420ee14cf770531d0db705f1936e8ca
font_02_sfnt_off000135a0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x135A0 10868 bytes
SHA-256: 487a1115452fcd9b777f03fb7e3d85ec075db08498b1d100aef6d66245f1cfbe