Malicious PDF — malware analysis report

Static analysis result for SHA-256 24438936731a43da…

MALICIOUS

PDF

82.6 KB Created: 2021-08-23 23:27:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 33d3b1c80ff2bd07563e064a744b6a1c SHA-1: d3f4d047620e863615e6e91aac78a3b7f5314024 SHA-256: 24438936731a43dac6ca9147954259d77674ed399cce255497a6cb465aa2c7a4
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample was identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The presence of embedded JavaScript and numerous external URLs, including those hosted on compromised CMS uploads and disposable hosting, strongly suggests a phishing or malware distribution campaign. The embedded JavaScript likely facilitates the redirection to these external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=manual+transmission+clutch+problems PDF link annotation
    • https://www.douggoodkin.com/admin/ckfinder/userfiles/files/nodawalufibomonotim.pdfIn PDF document text
    • https://postscriptproductions.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607af670902cc---nokizalafukovijamugila.pdfIn PDF document text
    • https://boldvision.tv/wp-content/plugins/formcraft/file-upload/server/content/files/1611ead370abb6---ximivamuvumukuvoxonu.pdfIn PDF document text
    • http://uyaviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160edc2452962b---18677439852.pdfIn PDF document text
    • https://vibangthuaphatlai.net/uploads/files/zugazadiperexakaliputew.pdfIn PDF document text
    • http://podlahypilat.cz/admin/file/malasokulaxogi.pdfIn PDF document text
    • http://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606cbbf45d2f4---deseduloxekuvagegimipi.pdfIn PDF document text
    • https://uniqrelation.com/userfiles/file/72521359218.pdfIn PDF document text
    • http://www.tenniscanberra.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1609bbf5d47b5b---70108205463.pdfIn PDF document text
    • http://stonepigments.com/userfiles/file/sunujofove.pdfIn PDF document text
    • https://genesislighting.net/wp-content/plugins/super-forms/uploads/php/files/55b7698b552e560bc6a9fe18ff8fd4e8/4670070968.pdfIn PDF document text
    • https://www.rekalibracija.com/wp-content/plugins/super-forms/uploads/php/files/f782b07bdca7a541efd6ae58661d157b/tifokabifebalosudesorirer.pdfIn PDF document text
    • http://www.patricktennis.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c74fa29c83e---tevevaweb.pdfIn PDF document text
    • https://xn-----6kcabagcgfjsxjciriy6alkh6a7aqk.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/3a068a1776ecf3fe6b2acace085c23ea/61776841539.pdfIn PDF document text
    • http://alternatifmedikal.com/img/userfiles/files/79601618449.pdfIn PDF document text
    • http://lhs1965.com/clients/880801/File/kereluriz.pdfIn PDF document text
    • http://novaserv.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d6ff9cbf88b---1862217946.pdfIn PDF document text
    • https://www.azembay.com/wp-content/plugins/super-forms/uploads/php/files/1p2nqh6uefc8ooe0d2jevcepb1/toriwuwis.pdfIn PDF document text
    • https://onecre.com/images/content/files/silimo.pdfIn PDF document text
    • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/53a1d2408dac9e80c583cdc1e3b7a16d/59431068256.pdfIn PDF document text
    • https://saraelv.no/wp-content/plugins/formcraft/file-upload/server/content/files/160e174c1b93a0---92952856243.pdfIn PDF document text
    • https://www.ogblfrontaliers.fr/wp-content/plugins/super-forms/uploads/php/files/mpj260spuh0rbkvnb3v6f3a3am/306133597.pdfIn PDF document text
    • http://on-video.com/movies/movie_data/file/gujonalopagugavizaz.pdfIn PDF document text
    • http://battlegrouponline.com/app/webroot/js/ckfinder/userfiles/files/lafitudulemuwiwi.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e29e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE29E 16028 bytes
SHA-256: a4933155dca7c974e041ae92ea7db5502ddc1e3226b8f073547c972ed96fe92d
font_01_sfnt_off00010be0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10BE0 10872 bytes
SHA-256: 698909713e613a4a67a7f86b6572a068409a0dfbff9f99a26293729ec384ec1b
font_02_sfnt_off00012496.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12496 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1