Malicious PDF — malware analysis report

Static analysis result for SHA-256 233b4dab9655a336…

MALICIOUS

PDF

84.4 KB Created: 2021-07-07 02:36:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 8c789dca7bb1e2b964516fc8926d6bfb SHA-1: 1f87b7b8ec14399fa080105a9c189862882aa78c SHA-256: 233b4dab9655a3360fac9759879238815631c133d05582d2b7339c232edbd128
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised WordPress sites and other disposable hosting, indicating a link farm designed to redirect users. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware delivery. The sample's structure and URL patterns are consistent with a malicious document used to distribute further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://rrvchefs.com/wp-content/plugins/super-forms/uploads/php/files/8f7ace0cd48136bdd552e46257137108/pawegidejusevi.pdf
    • https://vestol.bg/files/file/gelowexuxus.pdf
    • http://doyen.cc/images/upload/File/zafopuv.pdf
    • http://kapli74.ru/upload_picture/piganizuxu.pdf
    • https://ratsimae.eemedia/contents/file/75458003522.pdf
    • https://www.d-table.com/wp-content/plugins/super-forms/uploads/php/files/0f1ad2e2a64e71067d8fa399e8adfc36/72899473030.pdf
    • http://pamat.ro/UserFiles/file/jobivusuzibafotuzepoz.pdf
    • https://www.dishdivvy.com/wp-content/plugins/super-forms/uploads/php/files/a16fa79cd51cd1f089f3d60677a8b9d7/nuwekemol.pdf
    • http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/160b5c89f552e2---19736150046.pdf
    • https://amiablediamonds.com/wp-content/plugins/super-forms/uploads/php/files/1d1f1c56bfd5e40419a39c411acf37fd/25644024419.pdf
    • http://becro-plast.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160b5b2623e81a---pepipasep.pdf
    • https://agatanorek.com/files/file/pexag.pdf
    • https://eitmedu.in/ckfinder/userfiles/files/67493219786.pdf
    • https://www.kiteschule-kiel.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606c9e03988c7---4261041941.pdf
    • http://www.luminicaambiental.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0688061676---kejerojujigaraput.pdf
    • https://atlanthealth.com/wp-content/plugins/super-forms/uploads/php/files/26847be5b8ee00e429ac1e919f8efc1c/reganudasemuge.pdf
    • http://orbitsecurity.qa/pro_mvp_tech/uploads/file/22443916519.pdf
    • http://www.lightingandhvacexpo.com/wp-content/plugins/super-forms/uploads/php/files/176e7396fa0f7edb9918a194c941cdb8/wazefoxeximunumuwiwajuj.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/fzgW7-mxBc0/uplcv?utm_term=is+it+bad+to+apply+for+multiple+jobs
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e71e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE71E 16792 bytes
font_01_sfnt_off0000ff35.bin
60e74448d9d4658852d5f0aebbdf6a1f14277af2743c2f19f3c67dee8d86249e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF35 10988 bytes
font_02_sfnt_off00011885.bin
7c5d56807715ecaffe8f9410a9a3a976e21b58c44ad2f70cb4b8d8018efd0b00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11885 16976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.