Malicious PDF — malware analysis report

Static analysis result for SHA-256 36ba3de47c5b94cb…

MALICIOUS

PDF

80.5 KB Created: 2021-09-14 05:37:29 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: 869b5fa8659703808a2da161bb262df3 SHA-1: be29ddf0647099d27f3182b94380949967ab8f07 SHA-256: 36ba3de47c5b94cb2b233c3afa4357079987dec3048ff3da4fae1b3e6048751b
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links, many pointing to compromised CMS upload directories or disposable hosting, indicating a link farm designed to distribute malicious content. ClamAV and ML classifiers flagged this PDF as malicious, specifically as a phishing trojan. The presence of multiple external URIs and link farm heuristics strongly suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7913

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://madveras.com/ckfinder/userfiles/files/xivelulurir.pdf In PDF document text
    • http://mg001.cn/upload_fck/file/2021-9-13/20210913103601424220.pdfIn PDF document text
    • http://veganogle.es/uploads/ckfinder/files/monavekizofo.pdfIn PDF document text
    • https://laatuwhuisweerstralen.nl/upload/file/75545699910.pdfIn PDF document text
    • https://receptabc.hu/images_banner/files/50424494689.pdfIn PDF document text
    • https://curtain.jinware.com/upload/files/gizakujupikeg.pdfIn PDF document text
    • https://sunarchegypt.com/userfiles/file/xixisusuzuxefoxowasoseriv.pdfIn PDF document text
    • https://megashina24.ru/files/files/tuwinid.pdfIn PDF document text
    • https://servauto.fr/img/user/file/narunabofubuwedawif.pdfIn PDF document text
    • https://ethnicminorities.heephong.org/ethnicminorities/cmsadmin/ckfinder/files/74956940891.pdfIn PDF document text
    • http://triple-a.co.th/ckfinder/userfiles/files/gupunefepasaje.pdfIn PDF document text
    • https://abouelhoulgroup.com/userfiles/files/62837375465.pdfIn PDF document text
    • http://ecohouse-lab.de/userfiles/file/vajodanutexurarevujotof.pdfIn PDF document text
    • http://worksafeorg.com/wp-content/plugins/super-forms/uploads/php/files/bc6osjc8gdc90apu2idqcfool2/14315886627.pdfIn PDF document text
    • http://www.motionmantra.com/userfiles/files/nufoxapuzojasudiludunudo.pdfIn PDF document text
    • http://eortak.com/img/fck_temp/file/komadibodobogo.pdfIn PDF document text
    • https://seltec.io/images/uploads/files/bofizimukamazapede.pdfIn PDF document text
    • https://alirezamirmohammadi.com/images/upload/files/58593839558.pdfIn PDF document text
    • https://dalba.net/other_files/File/90449533565.pdfIn PDF document text
    • https://selectwifi.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613053d23ef97---lubobe.pdfIn PDF document text
    • http://www.skup.it/wp-content/plugins/formcraft/file-upload/server/content/files/161323df49584a---30579008497.pdfIn PDF document text
    • https://dascalita.ro/app/webroot/files/userfiles/files/wamojafifopolegepux.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/Om9ozkHLxGw/uplcv?utm_term=v380s+apk+for+pcPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDC06 18764 bytes
SHA-256: b454b266b04ee54a3d4e5a655eaf90fc68a6b7c3b78bcdc278e21e02da3adf09
font_01_sfnt_off00010ca8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10CA8 10564 bytes
SHA-256: f9e5e2b94d98352498ab7147ee8cfcd572652ff169ae4d8b1bb14d21015dbefb
font_02_sfnt_off000124f5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x124F5 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1