Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b448e6d8e428473…

MALICIOUS

PDF

238.5 KB Created: 2021-07-04 20:45:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 9cbe996bfa3c299039dfcf6cdebd0e35 SHA-1: c709661ef9ef6da4527a5131ee0e277daa05a50e SHA-256: 1b448e6d8e4284737567eec745b0222a64fd1fa0fa38da0eab3e7a298dbd8c71
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous links, with at least one pointing to a compromised WordPress upload directory, suggesting it's used to redirect users to malicious sites. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing or malware distribution lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9852

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mondzorgvesa-voorschoten.nl/wp-content/plugins/formcraft/file-upload/server/content/files/16074d3ff2a918---kuninateze.pdf
    • https://www.simcoerecovery.net/wp-content/plugins/super-forms/uploads/php/files/0dvfeka3rkb261h4805q0bhv6n/pepuxonigukexebu.pdf
    • https://daleel.global/wp-content/plugins/super-forms/uploads/php/files/ti0ocd249kv17gp7u2opr0uoc3/42105917509.pdf
    • https://k-barrierfree.com/FileData/ckfinder/files/20210625_E1C120620A3FCE1C.pdf
    • http://cathayred-csr.com/img-cathay/files/15591980518.pdf
    • https://bancodevida.com/bancodevida/admin/images/image/file/bakunuwiwivemosufurevaxab.pdf
    • http://angelescare.com/userfiles/file/81916729254.pdf
    • http://hghs61.com/clients/9/98/9814c5f28b4e93efd1f74733a9fd6b0f/File/wogezepekine.pdf
    • https://gearforfree.com/wp-content/plugins/super-forms/uploads/php/files/c6qms3q6c3v06qsi8fav8rif3l/lididazepefiwenazevewib.pdf
    • http://arlingtonhigh1961.com/clients/e/ef/ef36f0800c0a5d5a0b00d5ecc8c3c6da/File/soxofan.pdf
    • http://feach.ie/images/uploads/file/13517474753.pdf
    • https://prokoncept.hu/admin/blogfck/image/file/befopog.pdf
    • https://samudra99.com/contents//files/81892917158.pdf
    • https://acrgroup.nl/userfiles/file/jolomiwojuguguz.pdf
    • http://kaies.cn/upfiles/file/pafutagowetozosaf.pdf
    • https://www.hadlowsecurityshutters.com/wp-content/plugins/super-forms/uploads/php/files/413f9a7dc18c345d38fe7f0826b9c152/robeduveb.pdf
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160afb27ae1adc---lajupinotovi.pdf
    • https://villatoscana-pi.it/userfiles/file/zuvekovonivuguvepasurox.pdf
    • http://dorp.pl/userfiles/files/dufojizugusemerareleg.pdf
    • https://adbetelparaguay.com/wp-content/plugins/super-forms/uploads/php/files/14af42883846574088e4f8ab619314c1/56215978880.pdf
    • https://www.ideaklinikkadikoy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606fa0a23ab70---48584496073.pdf
    • http://www.anieliasfx.com/uploads/textareas/file/robapo.pdf
    • https://topclassgardening.nl/images/file/36370613654.pdf
    • https://securityguardsupply.org/php/uploads/file/26563537819.pdf
    • http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/160985105b19b2---95620450909.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/1KS0DP0cxss/uplcv?utm_term=poetics+of+architecture+theory+of+design+pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000349c9.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x349C9 16792 bytes
font_01_sfnt_off000361db.bin
2bfec2715daded0f2a93d83e5b9f37b400b45ac508e736e02af0742e11b632c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x361DB 18324 bytes
font_02_sfnt_off000391e1.bin
91ecf022758437ea12aae4ceca2c12b70c894d152b6c0e9f58e89d35ebad3829		 pdf-font-stream PDF embedded font (sfnt) at offset 0x391E1 11068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.