Malicious PDF — malware analysis report

Static analysis result for SHA-256 22f6294beb6bf963…

MALICIOUS

PDF

74.3 KB Created: 2021-09-09 20:12:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 0af09470f4c6366faf55d582b08327b3 SHA-1: 9c48ad6b327c057c9e801cd315c42ba1ddd3ddef SHA-256: 22f6294beb6bf96396698d1f943449933c06e4ecf8fa8e40f43136b561fd3f4a
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. It functions as a link farm, containing numerous embedded URLs that point to compromised WordPress upload directories and other disposable hosting. The ML classifier also assigned a high probability of maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jamiatulbanat.in/wp-content/plugins/formcraft/file-upload/server/content/files/16137f056c2347---68359289701.pdf
    • http://dallapietamarchisio.it/userfiles/files/96746103105.pdf
    • https://appvid.eus/userfiles/files/dopitazimosiwidamosisinuj.pdf
    • https://wolfgang-photography.com/userfiles/files/41508431158.pdf
    • http://lidaoxc.com/upload/files/rajese.pdf
    • https://tiemhoamo.tiemhoahaibara.com/data/dulieu/files/12762577995.pdf
    • https://100tmt.com/uploadimage/files/20210909070835.pdf
    • https://havilahbuilders.com/userfiles/file/timejomugorixazu.pdf
    • http://bfr-bialapodlaska.pl/userfiles/file/4603143762.pdf
    • https://motecx.com/images/file/jumibanesevekib.pdf
    • https://www.abandassociates.com/ckfinder/userfiles/files/79275332643.pdf
    • http://davcpundri.com/css/file/tosarobozuriledidaro.pdf
    • http://alfavit.tv/userfiles/file/tosukokopapipolobizoxi.pdf
    • http://noavarservice.com/ckfinder/userfiles/files/6054126992.pdf
    • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/b3r6id1m7bt1ltj0eri03ekcrc/xolinoluzaramuretefupawu.pdf
    • https://sv-fin.ru/wp-content/plugins/super-forms/uploads/php/files/625d23319ccbdcd8b89cdabfd00ace57/fudupufirazisavisorini.pdf
    • http://www.eatvirukai.lt/uploads/files/79605311990.pdf
    • https://kccegis.com/upfiles/content/file/20210907103651.pdf
    • http://quiltingacademy.com/fckeditor/userfiles/file/34779912356.pdf
    • http://armanetti.com/images/fomunaxipanurumerale.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/zMnd8XtcwSM/uplcv?utm_term=aimbot+for+kat
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bd58.bin
3efc8b263ea74baa697dbf5af93a6b3573841b7d73e04d2360e37d81b3979484		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD58 10140 bytes
font_01_sfnt_off0000d406.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD406 16792 bytes
font_02_sfnt_off0000ec18.bin
75e680623d417486d0f3ef63cb63d23fca6420646d2774bf79d64f2448216742		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC18 18272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.