Malicious PDF — malware analysis report

Static analysis result for SHA-256 19177db3700799eb…

MALICIOUS

PDF

70.6 KB Created: 2021-06-23 08:06:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4118cb035b953bcfa80913525b924d3 SHA-1: 7c8271f5bb9d324fa353aa76ebf2ae742eff721d SHA-256: 19177db3700799eba03837c5395f4fa56f1f995a6cecfe51c26d073ba4289dfe
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, containing numerous embedded URLs pointing to compromised WordPress sites, likely intended to lure users to phishing or malware-hosting pages. The presence of 'utm_term' parameters suggests an attempt at tracking or obfuscation, common in phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=paciente+cero+jonathan+maberry+pdf
    • https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/qbuhindrlee77dursjoqtgj1i0/11234900882.pdf
    • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/6dfd11f7964676c9dd58b2db3aa335e7/nonotikajexomexiluxe.pdf
    • http://cargo3030.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160a65a546255b---53968986972.pdf
    • https://primeodontorj.com/wp-content/plugins/super-forms/uploads/php/files/e6999f677148690a3d438d0c6908582e/nalame.pdf
    • https://maydongy.com/wp-content/plugins/super-forms/uploads/php/files/8vlu48b5nlr83oeppq5esh75b1/75253322179.pdf
    • https://www.alarisusallc.com/wp-content/plugins/super-forms/uploads/php/files/fe1f84a3e9743553a7e449b5dd7c1983/zevokawuza.pdf
    • http://studiopignotti.it/userfiles/files/gutuk.pdf
    • https://www.acptechnologies.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609c226480993---869292256.pdf
    • https://www.cr-sdc.org/wp-content/plugins/super-forms/uploads/php/files/25123df2fd26ee0caef811279840aa53/xizeberevijesedu.pdf
    • http://yngc.ru/admin/ckfinder/userfiles/files/78191220287.pdf
    • https://www.taxiserviceh24.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608ca11baa687---37198386575.pdf
    • https://miamivanservice.net/wp-content/plugins/formcraft/file-upload/server/content/files/160d0145ab4d6a---80311927689.pdf
    • http://dolphinegypt.net/userfiles/file/34049784420.pdf
    • http://alvasari.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a01cf5dfebe---2255069270.pdf
    • https://canadiancontractorservices.com/wp-content/plugins/super-forms/uploads/php/files/ga1j1poc48pqij7fna41fl7bc6/tapotegivu.pdf
    • http://ns.adobe.c
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d591.bin
4502ac14af84f6c7732cbd4577c7c87c4835778be529b6f7efd38c303a635a89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD591 5504 bytes
font_01_sfnt_off0000e82c.bin
0659e80e7df333e997b2e11ddc8b03c0b4a492988932b09ef669ee61fa2c357e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE82C 11816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.