Malicious PDF — malware analysis report

Static analysis result for SHA-256 32c97cb80b182c81…

MALICIOUS

PDF

69.0 KB Created: 2021-10-07 06:19:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 4cca96feb1e41aaf231d37d2524a2be8 SHA-1: 2e86fc278a29d3c70d8007605e4ac26e6c1d452b SHA-256: 32c97cb80b182c8182d36a9adc947378db2c1e4c4f6dd1cbf172edc27225af34
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs pointing to various domains, many of which appear to be compromised or disposable hosting. Heuristics indicate this is a link farm designed to direct users to external, potentially malicious content. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/uplcv?utm_term=simple+definition+of+non+contact+force
    • http://kleinschadenexperte.de/userfiles/file/midudezewo.pdf
    • http://agrobud.net/uploaded/file/2562003406.pdf
    • http://phuketdriveschool.com/userfiles/file/29919974560.pdf
    • https://textmakareknutsson.se/upload/image/79383221988.pdf
    • http://inannamsao.com/uploads/files/39591736643.pdf
    • http://ngoinvest.com/uploads/ckfinder/files/mujulufijafarenexe.pdf
    • http://weilandvloeren.nl/fckimages/2869173120.pdf
    • http://aftckwt.com/uploads/file/duvixegejolutanuxafal.pdf
    • http://sartor.ru/upload/files/37189058085.pdf
    • http://basar-hemeringen.de/ablage/userfiles/files/18387461345.pdf
    • https://impariant-club.ru/wp-content/plugins/super-forms/uploads/php/files/7fb7f196cff55c7a806b162a2c24fbe5/jagoteditikuritevupise.pdf
    • http://diskacme.dk/images/upload/file/47444103470.pdf
    • https://cfi-registration.org/buzzboxgift/img/userfiles/files/rutilurominu.pdf
    • http://www.fullmooneye.com/wp-content/plugins/formcraft/file-upload/server/content/files/1615e5a0cd92ac---42034176940.pdf
    • http://www.onegelha.com/wp-content/plugins/super-forms/uploads/php/files/20c9169738a4e51a7021878cbcf2f4a1/badegukojimas.pdf
    • http://asiadomainstore.com/userfiles/file/disuterugudofusel.pdf
    • http://bharatandcompany.in/ckfinder/userfiles/files/43904738952.pdf
    • https://artdecor24.pl/uploads/files/getobutilugepoxibolok.pdf
    • https://donnasalon.ru/wp-content/plugins/super-forms/uploads/php/files/9ec491f9e9fc7fdca1868ba7963daeba/35096780476.pdf
    • https://szamitogep-szerviz-javitas.hu/ckfinder/userfiles/files/89298993021.pdf
    • http://back2wood.de/userfiles/file/rojanewojubox.pdf
    • https://leosservices.com/userfiles/file/63745134247.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000af96.bin
cac2f3c9f6633672b16dfa71612950b546d7a6050183fbf97d902a4fdf75f6a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF96 15120 bytes
font_01_sfnt_off0000d625.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD625 16792 bytes
font_02_sfnt_off0000ee3c.bin
85ffd88ac8d927fdea4519c38a2ba97b028179ad151f63f68601a116c8d12c76		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE3C 10688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.