Malicious PDF — malware analysis report

Static analysis result for SHA-256 347b83d85ee77fad…

MALICIOUS

PDF

88.0 KB Created: 2021-07-01 17:10:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20
MD5: afa40465e907c47dc7262fb13c2219bb SHA-1: 5adcd873b2f3e7b846496b7c2c67b039d483d40b SHA-256: 347b83d85ee77fad51825ad7c7ebcd6d40c308a02920debe838be84f909e5a37
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a critical ClamAV detection and an ML classifier indicating a high probability of maliciousness. The file contains a link farm pointing to numerous compromised websites, suggesting an attempt to direct users to malicious content. The presence of PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports the malicious intent of hosting and distributing links from potentially compromised infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/uplcv?utm_term=question+and+answer+for+call+center PDF link annotation
    • http://jhdljz.com/userfiles/file/1624464998.pdfIn PDF document text
    • http://angelcabrera.com/FCKfiles/file/89457870812.pdfIn PDF document text
    • http://arcdesantmarti.com/biocop/Images/images-editor/file/28322029368.pdfIn PDF document text
    • http://kaplanpm.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d5f7de369b---46400547167.pdfIn PDF document text
    • https://jgmurphy.com/wp-content/plugins/super-forms/uploads/php/files/cedf3ddc8e9cdf349d947bc6cd8b9f43/35631671380.pdfIn PDF document text
    • https://vetranhtuongmamnon.vn/wp-content/plugins/super-forms/uploads/php/files/vsp6b6450323lf5vt90gbh1tqg/7692688880.pdfIn PDF document text
    • https://www.marthatrotts.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160804945b0cbc---fofimafesuravos.pdfIn PDF document text
    • https://www.eoluk.com/wp-content/plugins/super-forms/uploads/php/files/heskvq9rp69f8rgge9sm6d5q7o/99009192675.pdfIn PDF document text
    • https://hmanagement.net/userfiles/file/86016639528.pdfIn PDF document text
    • http://stylekd.ru/files/24535274567.pdfIn PDF document text
    • https://www.hdontheroadnapoli.it/wp-content/plugins/formcraft/file-upload/server/content/files/1609e85726242f---90176830448.pdfIn PDF document text
    • http://xperion.hu/wp-content/plugins/super-forms/uploads/php/files/47c9a287fc3d2e7f1cd1ea2e24eab5fe/32072385562.pdfIn PDF document text
    • https://phase1acoustics.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608605ff4b66c---3933248248.pdfIn PDF document text
    • http://witnesstherealist.com/wp-content/plugins/super-forms/uploads/php/files/cb206f66f89ae347915abb8e450be055/5411382153.pdfIn PDF document text
    • https://n-v-v.dk/userfiles/file/3852398856.pdfIn PDF document text
    • https://gz-topstar.com/wp-content/plugins/super-forms/uploads/php/files/06a5bf6f2de34c0a2ae506ff776f9f83/kijaratiruge.pdfIn PDF document text
    • https://www.guestquesttravelmedia.com/wp-content/plugins/super-forms/uploads/php/files/amb6g05ofngb5949q7qqv7rv7l/mevuwoxuw.pdfIn PDF document text
    • https://malimbe.africa/wp-content/plugins/super-forms/uploads/php/files/3dd1c2c2d8a113cfd730347dfac1cae2/46932952880.pdfIn PDF document text
    • http://xn--80ackbssfuieecff0e8c.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/csemo84mmmrppaq1uidn4lcp80/lufogasatupusufebedawe.pdfIn PDF document text
    • https://him-home.ru/wp-content/plugins/super-forms/uploads/php/files/bd33df116c60f494bea2d377ae4f12df/10692604520.pdfIn PDF document text
    • http://www.rkcomdesignservices.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e826c03051---famovuremarubukoru.pdfIn PDF document text
    • http://aotwresort.net/ckfinder/userfiles/files/fesebulunofetu.pdfIn PDF document text
    • http://www.hkqi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160dd5f7cc8fee---30685400809.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2CC 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010ae3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AE3 10712 bytes
SHA-256: 92336802c68126d130a613c6d7b1b7f3b7072d3695d27f5fe6a8c3dfc1ea23c4
font_02_sfnt_off000123cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x123CD 18112 bytes
SHA-256: 5e070037e487d7bb89d99a190eb5849b69833aaf8afc594cb94a8125d51185b2