Malicious PDF — malware analysis report

Static analysis result for SHA-256 18296d2264814037…

MALICIOUS

PDF

84.6 KB Created: 2021-07-25 23:48:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 9a82cafe03c9bc240f0821350af93637 SHA-1: b7a945c635f831e05c94ac4ba5c5401988943a53 SHA-256: 18296d2264814037104c63738cf5c601be0980f206335ed3f51e17eac713d24a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file functions as a link farm, directing users to multiple compromised websites. These sites, in turn, host other malicious PDF files, indicating a multi-stage attack. The ClamAV detection and ML classifier strongly suggest malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9918

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://willtorock.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbd45f5432b---xagaxin.pdf In PDF document text
    • https://cls-toronto.com/wp-content/plugins/super-forms/uploads/php/files/3d56ab5de2ad4b44572f5205043fb31a/zagisokawefisa.pdfIn PDF document text
    • http://www.centralperdana.com/file/divumirelidupepuvigo.pdfIn PDF document text
    • https://aguiapromocional.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16087edc1923ac---84373105426.pdfIn PDF document text
    • https://mimpiindah88.com/contents//files/75807777727.pdfIn PDF document text
    • https://pfgmm.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609436c5a0db2---46799000252.pdfIn PDF document text
    • http://www.iqubz.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c0d7517a42---22913811144.pdfIn PDF document text
    • http://myxroad.com/upload/userfiles/file///61229875372.pdfIn PDF document text
    • https://ski-experience-japan.com/images/blog//file/tuxutaxid.pdfIn PDF document text
    • http://churchontherockuk.org/home/churchontherock1/public_html/userfiles/files/redemesosupupigiforofujus.pdfIn PDF document text
    • https://www.certificagreen.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608210e2ded26---nuxetejigodeko.pdfIn PDF document text
    • http://thecargonepal.com/userfiles/file/35892707680.pdfIn PDF document text
    • https://dmddsgn.com/wp-content/plugins/super-forms/uploads/php/files/91f4b24149bb1fbd23a91b7d4048b33c/96468164342.pdfIn PDF document text
    • http://coss-wynn-reunion.com/clients/d/db/dbe3622004495b304d8703879a486b7d/File/50442007543.pdfIn PDF document text
    • http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/16097554564064---tutebubokedel.pdfIn PDF document text
    • http://www.grupohk.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606d4dec62170---sologeguduf.pdfIn PDF document text
    • https://hpx.com.ua/wp-content/plugins/super-forms/uploads/php/files/97053f7092958e727c34a89ed5981910/81263290868.pdfIn PDF document text
    • https://wulf-sanitaer.de/wp-content/plugins/super-forms/uploads/php/files/4mi8903foet9h8q495r0r7cejt/pimut.pdfIn PDF document text
    • https://baconbites.com/wp-content/plugins/super-forms/uploads/php/files/9s0luere1rh2ur05np1r4oenc1/24677242125.pdfIn PDF document text
    • http://anandtouristcorporation.com/uploads/3628895881.pdfIn PDF document text
    • http://xn--b1ahhafccpgkb2bxo.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/c40d8c8a644ff9b3bc3f33b0bf74e1da/mowuworu.pdfIn PDF document text
    • https://archltginc.com/wp-content/plugins/super-forms/uploads/php/files/d8d4d2f085da9e93d2185dd246ba6dc4/bejak.pdfIn PDF document text
    • http://csc0512.com/userfiles/file/20210702214215_4c34mw.pdfIn PDF document text
    • http://www.zulfugar.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160a683b080f7a---83028432299.pdfIn PDF document text
    • https://www.nobleorthodontic.com/wp-content/plugins/super-forms/uploads/php/files/8a9f2550eeb0fd01870c33e83e31eeb1/42375453274.pdfIn PDF document text
    • http://radio-salsa.com/php/rs/filesupload/file/90005225143.pdfIn PDF document text
    • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160b0083d59291---rosak.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/PmAiG5ZyT-k/uplcv?utm_term=hazard+identification+and+risk+assessment+template+xlsPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e7cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE7CB 11028 bytes
SHA-256: 8f8524cfecfc276202000ed70556b9f43299bfe6dabd7b35d14873180edb489c
font_01_sfnt_off00010169.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10169 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001197b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1197B 16120 bytes
SHA-256: 44cd81ad281ff01fb152a2157bc9afde04195fc5e98b7287d8e7747350be0c19