Malicious PDF — malware analysis report

Static analysis result for SHA-256 25fa08ac1c94be32…

MALICIOUS

PDF

77.7 KB Created: 2021-09-01 13:55:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: ffbc8a709ebe2d6220b8cca64725570d SHA-1: 14c6a3e7b2a7e6fb4a534a1984d7ed26c5daef97 SHA-256: 25fa08ac1c94be32a75fe484adc612c937a0c27cc3f5c2195b0661129e957b9b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a link farm pointing to multiple compromised WordPress sites, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. The primary attack pattern involves directing users to external, potentially compromised, resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9953

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.hotel-palladium.gr/wp-content/plugins/super-forms/uploads/php/files/ukbvnfgc5o9jh0jprj51tvc66h/kavosa.pdf In PDF document text
    • https://www.femregenx.co.za/wp-content/plugins/super-forms/uploads/php/files/1nbr1bmf47qsuarrmf9dtha6b2/mofupotegutopigisixoduxu.pdfIn PDF document text
    • https://krzczonowice.pl/gfx/file/pijesobazo.pdfIn PDF document text
    • http://pandoreunion.com/clients/81456/File/34024560649.pdfIn PDF document text
    • http://for-rent-antwerp.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608fa2a53503c---33056263057.pdfIn PDF document text
    • http://2446665a.ru/ckfinder/userfiles/files/vudifopiwasimiku.pdfIn PDF document text
    • http://mutitar.com/user_img/files/vufowuwijuzunewusepu.pdfIn PDF document text
    • http://arniestribu.com/campannas/file/mimitefenawafiw.pdfIn PDF document text
    • http://kfnmdg.com/upfolder/e/files/20210827163633.pdfIn PDF document text
    • http://stevis.cz/files/file/bizabevazamudaposiki.pdfIn PDF document text
    • http://comicpapyrus.com/wp-content/plugins/super-forms/uploads/php/files/c79e0296cb60454214685692e3a10177/46915395115.pdfIn PDF document text
    • https://www.fecomerciomg.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/160bc494527654---60394463999.pdfIn PDF document text
    • http://structurecreative.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c67d9de882---34989249578.pdfIn PDF document text
    • http://inlikeflintlogistics.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a38c71296aa---bepalefuzivagazuwakufa.pdfIn PDF document text
    • https://coherence.cz/userfiles/file/guvuw.pdfIn PDF document text
    • https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/h35j2pv3n3djbrra7ucv74ce5q/94945458297.pdfIn PDF document text
    • https://edenestates.com/ckfinder/userfiles/files/ditaxivile.pdfIn PDF document text
    • https://www.cedicar.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d4cf3aab2e0---vedopapulinuxurud.pdfIn PDF document text
    • https://transcendenceit.com/wp-content/plugins/super-forms/uploads/php/files/1020edd46c1915c51bde1466a31d9370/34378662892.pdfIn PDF document text
    • http://victorylimo1.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608196759e2fa---wumivosufokivoribusalu.pdfIn PDF document text
    • https://velvetskin.pl/wp-content/plugins/super-forms/uploads/php/files/f9fd6dd6ff0d184080ff9bfb4096f45f/filojovewozawagop.pdfIn PDF document text
    • http://anhuizhkj.com/upload_fck/file/2021-7-6/20210706195506155597.pdfIn PDF document text
    • http://mas.vacations/wp-content/plugins/formcraft/file-upload/server/content/files/160838ef07c08e---xasisasawigu.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=21st+century+literature+meaningPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cb96.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCB96 17436 bytes
SHA-256: db6e0a0aa6ca7912e08bc09d23146c2b1d8d90258cc86eda9b27c371fffd1373
font_01_sfnt_off0000f8da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF8DA 10740 bytes
SHA-256: 48471079ede0ff1946e76ee6e4796dbdaf40410300e67cb458da0b0538f5eaae
font_02_sfnt_off000111a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x111A9 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1