Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f85e19eba152245…

MALICIOUS

PDF

83.6 KB Created: 2021-06-26 14:21:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 8b8891819657fee571996b3e406279d2 SHA-1: 42cd67eb486b5284e54974bb2e728ba6f93c343d SHA-256: 2f85e19eba1522457210f314325f46b4cd3193b26f9eb0b0ddefcb709cefeaa9
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous links, many pointing to compromised WordPress sites and disposable hosting, suggesting a link farm designed to redirect users to malicious content. The presence of external URIs and the overall structure strongly suggest this PDF is used as a lure to distribute further payloads or conduct phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9860

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ateneoarbonaida.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607340c338c4f---gibefute.pdf
    • http://skybuildinfraprojects.com/uploads/beduperetu.pdf
    • http://www.klpreschool.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609d0011745cd---98888073138.pdf
    • https://topplene.com/upload/ckfinder_temp/files/20210618115454.pdf
    • https://artlabjo.com/userfiles/file/33189077239.pdf
    • https://www.nexidia.it/wp-content/plugins/super-forms/uploads/php/files/eea19dc40a946f2014e99da75cc9b92f/zanewigudol.pdf
    • http://smartmedicaleg.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608773bade386---93733518510.pdf
    • https://dafelia.com/files/tidolijikugavupakemumojiz.pdf
    • https://www.helpagesl.org/wp-content/plugins/formcraft/file-upload/server/content/files/160ccad9a1e25e---fevadapejunoluzuvaxorun.pdf
    • http://anhuizhkj.com/upload_fck/file/2021-5-17/20210517082603803064.pdf
    • https://himalayanwanderer.com/himalayan/userfiles/files/66885687567.pdf
    • https://capitaleny.com/wp-content/plugins/super-forms/uploads/php/files/d2f41b3f9ffaeb487bc56b4ad145a0b5/94377728988.pdf
    • http://monkey-do.net/userfiles/file/pogopodozikulagilup.pdf
    • http://nuyewrecruitment.com/wp-content/plugins/super-forms/uploads/php/files/5299191f34442478b30de3b114afdd34/23783577033.pdf
    • http://perfekttorun.pl/pliki/9657709964.pdf
    • http://www.brennholz-heinlein.de/wp-content/plugins/formcraft/file-upload/server/content/files/1608bf20f976e8---naxepome.pdf
    • https://elicopter-de-inchiriat.ro/wp-content/plugins/formcraft/file-upload/server/content/files/16079b0d2ac217---dolasupu.pdf
    • http://apsara.ru/userfiles/file/10790826468.pdf
    • https://www.teppiche-waschen-hamburg.de/wp-content/plugins/formcraft/file-upload/server/content/files/160755cd9b0602---76108313852.pdf
    • http://www.sunarsurdurulebilir.com/wp-content/plugins/super-forms/uploads/php/files/l2al7e5rtlb44rsi8f5rlvhgi5/sevaz.pdf
    • http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608f9393f3f55---xalojudenokesenebax.pdf
    • http://call.ae/wp-content/plugins/formcraft/file-upload/server/content/files/16098fa4e92ac0---situfifuwajevigomuj.pdf
    • https://www.modianodesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b1c66768fac---5037690564.pdf
    • https://infravoip.com/wp-content/plugins/super-forms/uploads/php/files/fe65e79b1b28d58ff5632b6633e42723/66471937341.pdf
    • http://st-ark.it/userfiles/files/wabukununuxaxajakafiratik.pdf
    • https://aimhc.com/userfiles/file/43861832216.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=principles+of+mathematical+analysis+rudin+solutions
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e211.bin
e72ed87bd1e001672cb0b3bf80c9819d2e6874e0fdd50713d6b7e48f5d6236e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE211 17000 bytes
font_01_sfnt_off00010ee7.bin
a314e310bc5ef4c1e6d9051f4abdc80712d87237209f17c0f11b736e6e3a22ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EE7 11100 bytes
font_02_sfnt_off00012898.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12898 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.