Malicious PDF — malware analysis report

Static analysis result for SHA-256 39fbac3a97dd362c…

MALICIOUS

PDF

86.6 KB Created: 2021-07-16 21:01:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 6ad5846d549c100f5865aec38b605cc1 SHA-1: c512f15109b5afcceb4ba5a74348243cf56e69cb SHA-256: 39fbac3a97dd362ca75678e117eac1ad2904c95ca8710706956201446a5c7470
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1055.012 Process Injection

This PDF file was flagged by ML classifiers and ClamAV as malicious, indicating a phishing or trojan distribution attempt. It contains numerous links, many pointing to compromised CMS uploads and disposable hosting, suggesting a link farm designed to redirect users to malicious content. The presence of a 'download' button heuristic further supports a lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9947

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://op-gold.com/ck_image//files/93490970831.pdf In PDF document text
    • http://www.cheapmotorcycleinsurancepa.com/wp-content/plugins/super-forms/uploads/php/files/hogbegvi72tjdnnpr3cnuuiu02/dijaloniwotumibuva.pdfIn PDF document text
    • http://oneself.pro/wp-content/plugins/formcraft/file-upload/server/content/files/1607ee6a81c575---pixibisotevi.pdfIn PDF document text
    • http://aihyang.com/userfiles/file/42709296901.pdfIn PDF document text
    • https://reparationmobile.net/userfiles/file/4314222255.pdfIn PDF document text
    • http://sakirnoopo.ru/wp-content/plugins/super-forms/uploads/php/files/efd783f7fc278ce3171e9a02e29523b3/sazaxidik.pdfIn PDF document text
    • http://www.thaiboat.net/image/upload/File/84313457079.pdfIn PDF document text
    • https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607aac4204fb2---54366710395.pdfIn PDF document text
    • https://lea-inc.com/wp-content/plugins/super-forms/uploads/php/files/2fc027daaece477a4bb0c17498917ec5/pukusuzorifimajofo.pdfIn PDF document text
    • https://borderpak.com/wp-content/plugins/super-forms/uploads/php/files/22b71c02f09ff286d6d9b0398111f512/laxerigowinasol.pdfIn PDF document text
    • https://yourtuscanyguide.com/wp-content/plugins/super-forms/uploads/php/files/e8pimles36uf5miiugororpu61/vupudufovedabifujam.pdfIn PDF document text
    • http://lncxjzxxw.com/upload_fck/file/2021-5-15/20210515231200876575.pdfIn PDF document text
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160b88d506d1d5---zewexalox.pdfIn PDF document text
    • http://www.kymenhome-etsinta.net/tiedostot/files/luziva.pdfIn PDF document text
    • http://terralis.eu/catalogue_dynamique/file/wusitisigenonil.pdfIn PDF document text
    • http://www.loockuniformes.com.br/home/wp-content/plugins/formcraft/file-upload/server/content/files/1607ce5e5145e6---bososab.pdfIn PDF document text
    • http://www.associatedomains.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a8dce63c8b---xipovu.pdfIn PDF document text
    • https://lisacutler.com/wp-content/plugins/formcraft/file-upload/server/content/files/160810ea760438---nanuwuwowegojomefot.pdfIn PDF document text
    • https://cometsecurity.in/admin/userfiles/file/xaxufodowu.pdfIn PDF document text
    • http://www.thebetterinsurance.com/wp-content/plugins/formcraft/file-upload/server/content/files/16092238f1712f---87029994458.pdfIn PDF document text
    • https://www.okcfarmersmarket.com/wp-content/plugins/super-forms/uploads/php/files/5cec4f97ad2c1c6e741f93b4eb36c32d/lipov.pdfIn PDF document text
    • http://3handseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b34db2c5aa6---jovofuvadigonenuse.pdfIn PDF document text
    • http://md-servicios.com/userfiles/file/45231998518.pdfIn PDF document text
    • http://altiro.nl/home/tjerk/file/dusix.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/BvfzZFkJO3s/uplcv?utm_term=the+sims+bustin+out+gamecube+romPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ec81.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEC81 18168 bytes
SHA-256: c6456ce61de724f8704885ef6a728cd64adffcd414420f406fdc6cecabe7df86
font_01_sfnt_off00011bee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11BEE 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00013405.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13405 10832 bytes
SHA-256: 70a899b26c8aa819464a378a2415f287f1c264455ee36864fe169e26fe762204