Malicious PDF — malware analysis report

Static analysis result for SHA-256 28ffb2f82f479e8b…

MALICIOUS

PDF

87.6 KB Created: 2021-09-03 05:57:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 9ab8b280f79b046cd92f5537b67e6ed2 SHA-1: 96022c366a66cfc4304dbca78fdcd2b7b4afb1c1 SHA-256: 28ffb2f82f479e8bb7fbffec20da3a977165305d73f2ee77959a4f775f8d30f3
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a 'Clipboard Command Execution Lure' heuristic, indicating it instructs the user to copy and paste commands into a shell. The numerous embedded URLs, many pointing to compromised CMS upload directories or disposable hosting, suggest it is part of a link farm designed to redirect users to malicious content or download further stages. No scripts were extracted, but the overall pattern suggests a phishing or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://irlanc.ru/uplcv?utm_term=cmd+hacking+commands+pdf PDF link annotation
    • https://tedesco.pl/userfiles/file/30797631495.pdfIn PDF document text
    • http://agrobud.net/uploaded/file/48775734784.pdfIn PDF document text
    • http://www.absolutecateringla.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aea10fd65d4---83601812074.pdfIn PDF document text
    • https://bwawarszawa.pl/upload/file/38507454709.pdfIn PDF document text
    • https://texigo.tw/upfile/files/2021/06/22/lalugas.pdfIn PDF document text
    • http://www.training4thefuture.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16100b1b0d9ce5---82196316644.pdfIn PDF document text
    • https://a1-recruitment.fr/v2011/Files/fck_upload/file/38815160081.pdfIn PDF document text
    • https://satuldelut.ro/ckfinder/userfiles/files/23380800659.pdfIn PDF document text
    • https://yourlightingbrand.com/wp-content/plugins/super-forms/uploads/php/files/4aae33a0d6f39bf43a72c21e786cc712/32265012537.pdfIn PDF document text
    • http://kindervakantieweekdeurne.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1611925ac582c5---28915604393.pdfIn PDF document text
    • https://spherule.org/wp-content/plugins/super-forms/uploads/php/files/3c3c9b188c92f16ae0d43544327eaf1d/komawenemodanujasavu.pdfIn PDF document text
    • http://prestizhstroycompany.ru/SITE/files/editor/file/82608760786.pdfIn PDF document text
    • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/a892bc93159651c7e0470c49718c19c6/nogurima.pdfIn PDF document text
    • http://chandigarhdatarecovery.com/files/file/dariza.pdfIn PDF document text
    • https://kfz-gutachter-oliver-schiller.de/wp-content/plugins/formcraft/file-upload/server/content/files/160714fc15763e---mubebowovejijapulasopago.pdfIn PDF document text
    • http://ijdssymposium.eu/upload/72367701577.pdfIn PDF document text
    • http://walthamclassof1985.com/clients/5/52/52060312c10aa816a718e90a19a6a7a1/File/vugutikudigogesopejifi.pdfIn PDF document text
    • https://www.gsccn.it/wp-content/plugins/formcraft/file-upload/server/content/files/160a3608707bdc---mozalazo.pdfIn PDF document text
    • https://www.onestopnaturalstore.ca/wp-content/plugins/super-forms/uploads/php/files/2nq3qmda8vp2d507h0tglpd2dn/vegelusuvoxerid.pdfIn PDF document text
    • https://robertmatzuzi-massagetherapist.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608cb96f79758---wenidafa.pdfIn PDF document text
    • http://st-ark.it/userfiles/files/71481882367.pdfIn PDF document text
    • https://apz-arte.com/ckfinder/userfiles/files/2504628217.pdfIn PDF document text
    • https://an-professional.ru/img/files/file/sadekavoke.pdfIn PDF document text
    • http://sochisushi.nl/survey/userfiles/files/90868499230.pdfIn PDF document text
    • https://www.esicm-old.org/admin/lib/ckfinder/userfiles/files/varuditubomilezav.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef11.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF11 18932 bytes
SHA-256: 4c689106c2e3c9a738f9325557a1e43c242f43925cc5ba99eb9e7f02d7db0841
font_01_sfnt_off00012010.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12010 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00013827.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13827 10816 bytes
SHA-256: bc62d6cd4f1a9806cfc73cbc8f4d95e55a4dd09d2cbc7282b0f8e84c35f98568

Open this report in the interactive analyzer, or submit your own file for analysis.