Malicious PDF — malware analysis report

Static analysis result for SHA-256 27361ff0ec11dea9…

MALICIOUS

PDF

204.8 KB Created: 2021-07-05 14:01:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: d26a8233459f217627c03cc8718b334f SHA-1: e78761f39e7d6c30da66128c4058aa9a49dfad42 SHA-256: 27361ff0ec11dea968512e9e08061d38a49077435b0ef24a746199ddecb89883
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains numerous links to compromised WordPress upload storage, indicating a phishing or redirection attempt. The document body is unreadable, but the presence of multiple external URIs and compromised CMS upload links strongly suggests a phishing attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9916

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/a3ea0ac95d6371f1703f5f287993cb8d/77188732330.pdf
    • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/1968c8f99f92721dec2cf501b9cebbee/19431431226.pdf
    • https://caravanandre.it/wp-content/plugins/super-forms/uploads/php/files/4a8033f7902d9cec42e15e341a0f4922/zegudubiwo.pdf
    • http://www.kevinbrooks.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160a79ccc0029b---52754189992.pdf
    • http://www.carolglassman.com/wp-content/plugins/formcraft/file-upload/server/content/files/160723dd962934---lijupawu.pdf
    • http://opakowania-loga.pl/zdjecia/fotki/file/petodefokiboje.pdf
    • http://dichvugiayphep.net/hinhanh_fckeditor/file/soxemamojinuteza.pdf
    • http://steelbo.com/uploads/admins/u0/files/20210622175009.pdf
    • http://adanateknikservis.web.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1607272d576d75---vesezaxokexipolelojeb.pdf
    • http://brooklinehs1964.com/clients/6/6a/6a3559cec3eb17f551da2d864c8c85ab/File/sugisurapaganal.pdf
    • https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bdfa9f67594---duxixobatozevida.pdf
    • https://porterbrothersltd.com/app/webroot/uploads/55227419677.pdf
    • http://ozona.pt/wysiwygfiles/file/depawiwogezanonutug.pdf
    • http://yossy.biz/userfiles/file/32021266359.pdf
    • http://2girlstrippin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160864e1c34e04---nasovaxiweb.pdf
    • http://zionhillfirstbaptistchurch.com/clients/73368/File/16507894535.pdf
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/16089bb002ac80---94043315601.pdf
    • http://studiopol.it/userfiles/files/83765966703.pdf
    • https://www.diktu.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cf9195b76a0---lokekupojezudolefelafu.pdf
    • https://www.freshstartdigitalmarketing.com/wp-content/plugins/super-forms/uploads/php/files/b61fe89d61a73044cda7117ee9c26270/velefaxipituge.pdf
    • http://ruihuitax.com/files/file/6189993665.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/GLLx1DTH0VQ/uplcv?utm_term=describe+the+democracy+created+by+cleisthenes
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002c534.bin
630b1c3df33037084ddd57d741315f51c2f744c8a5dbde6a021ced613b98b5a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C534 10892 bytes
font_01_sfnt_off0002de40.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DE40 16792 bytes
font_02_sfnt_off0002f652.bin
41f8b6a82dcb33ed2872404df96029fa82532c662cb45b1f7eef824c073a707d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F652 18500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.