Malicious PDF — malware analysis report

Static analysis result for SHA-256 1bc664b08c3d1aad…

MALICIOUS

PDF

82.9 KB Created: 2021-09-18 00:50:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-26
MD5: 951e86c0298609b40fa7e740bf6acb76 SHA-1: 6cd61fa6a6913b22e4bad5e27c50734ace1b8b9a SHA-256: 1bc664b08c3d1aadf676a75fdc024f1588f3a7178f7be6a595802505848e73c9
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a lure for remote support tools, instructing the user to install or connect with such software. This is a common tactic to gain unauthorized access to a victim's system. The presence of multiple links to PDF files hosted on compromised or disposable domains suggests a phishing or credential harvesting campaign. While no scripts were directly extracted, the PDF structure and heuristic firings indicate malicious intent, likely involving exploitation or social engineering to deliver a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://scsytech.com/upload/files/zokaferiraroboji.pdf In PDF document text
    • http://mea-travel.pl/userfiles/file/tadowibasunemapubitavono.pdfIn PDF document text
    • https://creativesilhouettes.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16132a78af2e80---zodatubomisa.pdfIn PDF document text
    • http://hanabi-la.com/uploads/files/38430033776.pdfIn PDF document text
    • http://buyyoutubelikes.com/ci/userfiles/files/50367407957.pdfIn PDF document text
    • http://yesfabric.com/images/upload/File/bepizebuvixegotamakud.pdfIn PDF document text
    • http://begemot-rus.com/uploadfiles/file/2021090213495273499.pdfIn PDF document text
    • http://puebloexec.com/userfiles/file/divilukidunirez.pdfIn PDF document text
    • http://karinameal.ru/imgdish/files/sazopememitiwukiw.pdfIn PDF document text
    • http://aroma-es.red/yamituki-n/uploads/files/zekasutujowidokuz.pdfIn PDF document text
    • http://ivankrivanek.com/userfiles/file/linaba.pdfIn PDF document text
    • https://perfumes.dropship-tracking.com/userfiles/files/sewilerorimoxegete.pdfIn PDF document text
    • http://av-jet.ru/userfiles/file/vewodinomasukebitosarobu.pdfIn PDF document text
    • http://fanti-fitness.pl/uploads/assets/file/28860903029.pdfIn PDF document text
    • http://gostium.com/wp-content/plugins/formcraft/file-upload/server/content/files/16134e79648af9---64440493331.pdfIn PDF document text
    • https://wscnaturalhealings.com/wp-content/plugins/super-forms/uploads/php/files/8188ca7425fd6b1cff1bcf2558b958b1/mudoxusitolozeda.pdfIn PDF document text
    • http://caffepontoni.com/uploads/file/49936220781.pdfIn PDF document text
    • http://knshzj.com/CKEdit/upload/files/5144222736.pdfIn PDF document text
    • http://www.studiolegalefusimorelli.com/wp-content/plugins/formcraft/file-upload/server/content/files/161443cbfe3521---72821810046.pdfIn PDF document text
    • http://nicolalazzarotto.com/userfiles/files/93893410274.pdfIn PDF document text
    • https://confetti-seasons.ru/upload/files/dunafixajezomilapefu.pdfIn PDF document text
    • http://fqcycpa.com/jingkelun/userfiles/files/20210907214729.pdfIn PDF document text
    • https://www.hed-endo.hr/wp-content/plugins/formcraft/file-upload/server/content/files/161320ddad0265---78382586437.pdfIn PDF document text
    • http://huarui-bio.com/upload/files/65463315641.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/YTWXjIUwRh0/uplcv?utm_term=vnc+connect+apkPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e11b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE11B 17780 bytes
SHA-256: d963000e1c668e9b9511683b06182143dac9fa9f3f2486f966ab223fd6a9684c
font_01_sfnt_off00010f80.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10F80 10020 bytes
SHA-256: 1dffe47a2043289f7164e00a0c80345f20c3ceb162cb38885374a0aec9c3d851
font_02_sfnt_off000125f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x125F1 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1