Malicious PDF — malware analysis report

Static analysis result for SHA-256 309104ebb015a1c5…

MALICIOUS

PDF

91.5 KB Created: 2021-08-23 15:24:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: f8842031456357622d97a42d9e404822 SHA-1: b687685f9dac34c95ea8fd39eec87bf6e9fc6489 SHA-256: 309104ebb015a1c55a4ae05b6544985b386e21c0571f64156593aa663c0a51d0
184 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF contains numerous external links, many pointing to compromised CMS upload directories or disposable hosting, indicating a link farm designed to redirect users to malicious content. The presence of urgency and callback lures further suggests a phishing or scam attempt. ClamAV detection and ML classification confirm the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/uplcv?utm_term=ged+meaning+education PDF link annotation
    • https://tonwen.org/userfiles/file/jimerigaxari.pdfIn PDF document text
    • http://vitacanes.com/uploads/files/90903330925.pdfIn PDF document text
    • http://pumarecovery.com/userfiles/files/tiweg.pdfIn PDF document text
    • http://dom-nenilovo.ru/wp-content/plugins/super-forms/uploads/php/files/904d0d163b962cc98fd901f9bc4ecb43/tafapofutozi.pdfIn PDF document text
    • http://geology.ie/wp-content/plugins/formcraft/file-upload/server/content/files/160fade0e8ea4c---pirepogezasozuzezefu.pdfIn PDF document text
    • http://sunil.kr/uploadfile/fckeditor/file/zexaseromadavobuwiran.pdfIn PDF document text
    • http://www.sunargrup.com.tr/wp-content/plugins/super-forms/uploads/php/files/615rvrdrab3qtqj5pu36ithlg1/gesugarevarepeniluwib.pdfIn PDF document text
    • http://proreferee.ru/uploads/ckfinder/files/zapogo.pdfIn PDF document text
    • https://apoc.com.au/wp-content/plugins/super-forms/uploads/php/files/5291ad83e69d21de8164d8f93035a04f/42763838040.pdfIn PDF document text
    • https://ohligschlaeger-berger.de/wp-content/plugins/formcraft/file-upload/server/content/files/160f31043cbbb6---vikavoz.pdfIn PDF document text
    • https://trichynext.com/wp-content/plugins/super-forms/uploads/php/files/d0081785026c2231491145881a87741b/98619432217.pdfIn PDF document text
    • https://mayurherbal.com/userfiles/file/jedotiloragifesowavibot.pdfIn PDF document text
    • http://e-pisanie-prac.pl/famprojekt_z_serwera/images/file/15866803793.pdfIn PDF document text
    • http://sxcec.org/userfiles/file/tugefilesusitikikiruwoza.pdfIn PDF document text
    • http://tubemakingmachine.com/uploadfile/files/zigitiwopitexot.pdfIn PDF document text
    • https://www.alongsideasia.com/wp-content/plugins/super-forms/uploads/php/files/c369acdc5033929a9982caa7ee05787b/43893595075.pdfIn PDF document text
    • https://vivaldiroberto.com/img/files/mediafiles/file/mudira.pdfIn PDF document text
    • https://www.blackandwhite-salon.com/wp-content/plugins/super-forms/uploads/php/files/7eb458fcff0b76d6afbcdc02ede05114/jatovogezabusebifoxemok.pdfIn PDF document text
    • https://www.elementstraining.co.uk/wp-content/plugins/super-forms/uploads/php/files/rr8hda0rq64apc1vvk9o24b76g/52141240028.pdfIn PDF document text
    • https://www.booster-p.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e4f6bdb557---kisaxotojeropitaneb.pdfIn PDF document text
    • https://www.bevillelecomte.com/ckfinder/userfiles/files/98010202608.pdfIn PDF document text
    • http://diencohoanghuy.com/media/ftp/file/12934052476.pdfIn PDF document text
    • https://www.emmabowman.com/wp-content/plugins/super-forms/uploads/php/files/2a8d911889e4c47166547842fc8b4b81/82743684086.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001015c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1015C 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001196e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1196E 17096 bytes
SHA-256: 0147c5b33d9ebfd9610ffc96de011e947b6be98511e82a815734823b5a120506
font_02_sfnt_off0001462f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1462F 10540 bytes
SHA-256: 9c75757ad35dc3fba309fcacb5925e8a35feafe6d6a44deaeba34f411d96744a