Malicious PDF — malware analysis report

Static analysis result for SHA-256 310bdafe87bdd634…

MALICIOUS

PDF

82.3 KB Created: 2021-09-01 03:13:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: 952ddf5f65120a396b9c77c36c5a1c7b SHA-1: 021a8b9ce5b530f2ebf900114e74161414c25a15 SHA-256: 310bdafe87bdd63484b26d5ad36bd2077028d873cbaed056075530a2ec6b2077
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by a machine learning classifier and ClamAV as malicious. It functions as a link farm, containing numerous URLs that point to various websites, some of which are hosted on compromised CMS platforms. The presence of 'invoice' or 'payment' language suggests a lure for phishing or fraudulent transactions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9846

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nuraski.pl/wsg/userfiles/48605687301.pdf In PDF document text
    • http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/16107088052f15---jubekubalogetumonide.pdfIn PDF document text
    • https://bowenpainter.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5d4b03f4ba---24092009486.pdfIn PDF document text
    • https://sammycar.ch/sammy/sites/default/sammyfiles/newsletterfile/14429162614.pdfIn PDF document text
    • https://implantsdentairesdesmoulins.com/upload/editor/file/68236587965.pdfIn PDF document text
    • http://xn--80affcyoc0ac1f6a.xn--p1ai/admin/modules/ckeditor/ckfinder/userfiles/files/sokukevevawefisok.pdfIn PDF document text
    • https://pasarangroup2.com/contents//files/36599238724.pdfIn PDF document text
    • http://balogmihaly.hu/UserFiles/file/bajoputimalevatepar.pdfIn PDF document text
    • http://www.alquilerbares.com.ar/wp-content/plugins/formcraft/file-upload/server/content/files/1606c8e034ecff---54591816508.pdfIn PDF document text
    • http://slsnn.ru/content/files/57173893160.pdfIn PDF document text
    • http://amandatravel.com/userfiles/file/bujolisonekad.pdfIn PDF document text
    • http://www.whirlpool-beachcomber.at/wp-content/plugins/formcraft/file-upload/server/content/files/1608a7e71ba6fc---tofitilaku.pdfIn PDF document text
    • http://kcde.kr/userfiles/file/podufadebuxudugukitevi.pdfIn PDF document text
    • http://www.platformliften.info/wp-content/plugins/formcraft/file-upload/server/content/files/1609304e305ecf---kegigajuvavarubar.pdfIn PDF document text
    • http://www.dfdtrading.sk/ckfinder/userfiles/files/38213990379.pdfIn PDF document text
    • https://ahi.com.ua/wp-content/plugins/super-forms/uploads/php/files/48885e470731c5b172b5cb2e6038ed15/81697175883.pdfIn PDF document text
    • https://laplacedesstores.com/upload/file/nafuranaf.pdfIn PDF document text
    • http://www.iqubz.com/wp-content/plugins/formcraft/file-upload/server/content/files/16087ed2d6397e---27987550465.pdfIn PDF document text
    • https://pnlcoach.com/misc2/file/In PDF document text
    • http://www.phonefixcomo.com/wp-content/plugins/formcraft/file-upload/server/content/files/161296d8738a26---fakofi.pdfIn PDF document text
    • https://dongytueduc.com/wp-content/plugins/super-forms/uploads/php/files/erk0mn4pdvh6conapi8tafn0db/64600948866.pdfIn PDF document text
    • https://almuhja.ps/ckfinder/userfiles/files/rufiwisononiz.pdfIn PDF document text
    • https://vibangnhadat.com/uploads/files/51057572505.pdfIn PDF document text
    • http://yacpa.org/yacpafiles/file/83481031188.pdfIn PDF document text
    • http://www.platformliften.info/wp-content/plugins/formcraft/file-upload/server/content/files/160abf6b5aecb2---taripajej.pdfIn PDF document text
    • http://www.reroofingbrisbaneqld.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1606f3acc1d70c---14893923084.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/3vuEKuznOb8/uplcv?utm_term=convert+pdf+to+html+in+asp+netPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dbd5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDBD5 10860 bytes
SHA-256: 99a39113482ec34b315de2588f069ba2a70ece5d35441681ed159a223dea3537
font_01_sfnt_off0000f4be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF4BE 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00010cd0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10CD0 17724 bytes
SHA-256: 67e5692cdc3c8e00c389d562be25bbd67187047f1703f2f0161053c1fcb77968