Malicious PDF — malware analysis report

Static analysis result for SHA-256 361ba2c7cc4465f8…

MALICIOUS

PDF

87.4 KB Created: 2021-06-26 22:37:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: b98bd792cab24b286552d0e852125a3d SHA-1: 7c7a977d53181b73bf106f5cfee059df63058085 SHA-256: 361ba2c7cc4465f89869210b7058149625b7b5b1260ed415ce272e33d8234e45
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous links pointing to compromised WordPress sites, specifically targeting upload directories. These links likely serve as a distribution point for further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, and the heuristic firings confirm the presence of a link farm on disposable hosting, a common tactic for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9947

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://admonks.ru/wp-content/plugins/super-forms/uploads/php/files/bb6e954a52cc0f1a8342c5bfc2d2cdbc/89802545028.pdf In PDF document text
    • http://limpiasol.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a4302b3ed7b---48697764379.pdfIn PDF document text
    • http://amako-ra.com/wp-content/plugins/super-forms/uploads/php/files/68d884d7f0d35830def0b9a2eefa6dab/tagawevodekowosa.pdfIn PDF document text
    • https://www.couleurs-et-jardin.fr/wp-content/plugins/formcraft/file-upload/server/content/files/1607996a28a041---zivazigesejakuposif.pdfIn PDF document text
    • https://event-connections.net/wp-content/plugins/formcraft/file-upload/server/content/files/160758d4857fe7---gogudize.pdfIn PDF document text
    • http://www.mywil.ch/wp-content/plugins/formcraft/file-upload/server/content/files/160839632711b5---zinifijopuremamizapaj.pdfIn PDF document text
    • https://cbolean.com/wp-content/plugins/super-forms/uploads/php/files/vc5nj2i3l48vor0nkjm22hata0/xataraj.pdfIn PDF document text
    • https://www.infrascale.com/wp-content/plugins/super-forms/uploads/php/files/64011b5efe3dac8610db763e16ee5da6/75284928383.pdfIn PDF document text
    • https://webgirls-studio.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0c6491c39d---87997506525.pdfIn PDF document text
    • http://menafundinfo.com/userfiles/file/debuvagulubiwowito.pdfIn PDF document text
    • http://www.virtualaid.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160c8ef53e107e---44605997090.pdfIn PDF document text
    • https://www.americanapi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160929f214156f---77945893786.pdfIn PDF document text
    • http://fujavietnam.com/images/Download/71901541796.pdfIn PDF document text
    • http://robalton.es/Albums/images/file///wuduvanaresisa.pdfIn PDF document text
    • http://www.gunyagder.org.tr/wp-content/plugins/super-forms/uploads/php/files/n6rhriaonmc44dcu95adoi0v10/rorivenuxe.pdfIn PDF document text
    • http://www.franklinwebdesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bb52f1f154---tamusutozokinemilipuzarib.pdfIn PDF document text
    • http://trendybiz.in/usersfiles/file/18386820933.pdfIn PDF document text
    • http://pavcargo.ru/wp-content/plugins/super-forms/uploads/php/files/32fb2238e4f5ba0a9317f3d4580c9034/83876586634.pdfIn PDF document text
    • http://littlepearlbooks.in/data/eimages/file/zirepotagez.pdfIn PDF document text
    • https://www.certificagreen.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ae7d34ccdbf---pulowevuxofafevobomu.pdfIn PDF document text
    • http://mu-rrrc.com/userfiles/file/resetebubiv.pdfIn PDF document text
    • http://anhuishangbiao.com/upload_fck/file/2021-5-23/20210523023953733864.pdfIn PDF document text
    • http://www.lavalledesign.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b2033a24fa---ridojutitekujifasovuva.pdfIn PDF document text
    • https://sdyh.gr/wp-content/plugins/super-forms/uploads/php/files/cmv0dtobq7h55h5s7iibjmr2p1/jimigulapenewigidusepiwig.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/cv9VXjIrmdE/uplcv?utm_term=am+a+rider+mp3+song+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2E4 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010afb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10AFB 10876 bytes
SHA-256: 705d90dc62b6039afa5a9f4a08091ea8939d590258ef935d8e04dc5f84e5290b
font_02_sfnt_off000123db.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x123DB 17036 bytes
SHA-256: 0ff63e5dfa40aac267c041c8b70bb7dd37e79478d3a89ee8c2b8ce2dd0210946