Malicious PDF — malware analysis report

Static analysis result for SHA-256 29dd0441a8ac9c94…

MALICIOUS

PDF

223.3 KB Created: 2021-07-03 21:33:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: 8ca18b0b652d320e3bdfe14bc2e53b76 SHA-1: 8a4f4629b4a829e0ca75f63b83edfca51e3bf4b6 SHA-256: 29dd0441a8ac9c946ff7271e6ec740b2084029e59423f38d68457025863f9045
166 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple links pointing to compromised WordPress upload storage and SEO redirectors, indicating a phishing or malware distribution lure. The ML classifier and ClamAV detection strongly suggest malicious intent. Although no scripts were directly extracted, the PDF structure and embedded URLs are indicative of a malicious document designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9066

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=types+of+sentences+for+class+7 PDF link annotation
    • http://milcontabil.com.br/wp-content/plugins/super-forms/uploads/php/files/gritjga7uk3a8duagq3gue0ci3/molaxabobubutujakewutamig.pdfIn PDF document text
    • http://orderkiwicafe.com/uploads/files/31558488489.pdfIn PDF document text
    • https://storage-in-motion.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070b4a61a8db---vititoranisabim.pdfIn PDF document text
    • http://www.virtualaid.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160b4d54e78652---petaxuxaxawifof.pdfIn PDF document text
    • https://sasalidayanisma.org/uploads/file/39357223357.pdfIn PDF document text
    • https://www.zulilighting.com/wp-content/plugins/super-forms/uploads/php/files/2d8bb827befa999246e805736bd7a7bc/83086295758.pdfIn PDF document text
    • https://www.limratechnologies.net/wp-content/plugins/formcraft/file-upload/server/content/files/16075b951d7c38---gomelunajipupapejesa.pdfIn PDF document text
    • https://lorenzonimmigrationlaw.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a53fb3b4be8---basoxosesikipu.pdfIn PDF document text
    • https://sidexsideaudio.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1588756496---1877007160.pdfIn PDF document text
    • http://foire-fromages-et-vins.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cbc1fb14532---54322709168.pdfIn PDF document text
    • http://tutek.eu/userfiles/file/9881822501.pdfIn PDF document text
    • https://victory-agency.com/wp-content/plugins/formcraft/file-upload/server/content/files/160aab45261d08---sujiwipafefizufol.pdfIn PDF document text
    • http://call.ae/wp-content/plugins/formcraft/file-upload/server/content/files/16098372938ed9---timejopugugewexen.pdfIn PDF document text
    • https://butchercurnow.com/img/shop//contents/83830171282.pdfIn PDF document text
    • http://www.auditsi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b033f0209db---miwozaxe.pdfIn PDF document text
    • http://www.theagentpipeline.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b04bb10c52---lufodexuwifefin.pdfIn PDF document text
    • https://leo-translate.com.ua/wp-content/plugins/formcraft/file-upload/server/content/files/1609421ccefb51---figosazedug.pdfIn PDF document text
    • http://go-trec.com/wp-content/plugins/super-forms/uploads/php/files/94f5t1or8dc2t44lathujmp82c/devuso.pdfIn PDF document text
    • https://sv-fin.ru/wp-content/plugins/super-forms/uploads/php/files/67e9ae69db971615eab67f853ec3608e/98095341246.pdfIn PDF document text
    • http://www.justgiveahand.org/wp-content/plugins/formcraft/file-upload/server/content/files/160a061128f64f---futifoxabuxebazox.pdfIn PDF document text
    • http://hellnocancershow.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b54a4d0e30b---lafatipibujilemobedof.pdfIn PDF document text
    • https://militarynetwork.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160960262201f6---nivonijodiga.pdfIn PDF document text
    • https://eliteswimmingpoolsinc.com/wp-content/plugins/super-forms/uploads/php/files/6u91a7fn7c3jqurhirr1vs16g5/41009545454.pdfIn PDF document text
    • http://www.allatpatikapecs.hu/images/file/xirobedelalala.pdfIn PDF document text
    • https://aquaticlandscape.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c29b206ada3---13668145733.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0002d113.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D113 32836 bytes
SHA-256: 7adca9aa2d15cf319b83a7c1b96f15ea67c26d9ab0ce9fc111a599e9e85aea34
font_00_sfnt_off0002b8e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B8E5 10508 bytes
SHA-256: 590c76973a2325bb02b013cf9b677fc5ef1cbb850408041ff4b8a360562c7994
font_02_sfnt_off00030d30.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x30D30 31496 bytes
SHA-256: b910cbcd9db537eee460f6a0503c1c7943e40e29ccc662e934f991b07afe7482
font_03_sfnt_off000356c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x356C6 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1