Malicious PDF — malware analysis report

Static analysis result for SHA-256 3bd5a33e7cbd97f5…

MALICIOUS

PDF

77.0 KB Created: 2021-06-24 20:59:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6cf2b3b745f7aa6b025935a0a7bd74c2 SHA-1: 7da3c5f860929c632901e27d919b85dcb09cd4a6 SHA-256: 3bd5a33e7cbd97f5f37884deb566910d1682019efd634aa284d78bd6ed29aec6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document contains a link farm pointing to numerous PDF files hosted on various websites, some of which appear to be compromised. The presence of PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports the conclusion that this is part of a phishing or malware distribution scheme. No scripts were extracted, but the overall structure suggests a lure to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fritz-fahrlaender.ch/download/38915399046.pdf
    • http://alpha-th.com/userfiles/file/dumepekinida.pdf
    • https://jetzterstrecht.hamburg/wp-content/plugins/super-forms/uploads/php/files/7rdlpggrhj3o39dmjgm790vbcv/74866614497.pdf
    • https://www.surajinformatics.com/wp-content/plugins/super-forms/uploads/php/files/7c1f710ff3df7cc3c0704d888ddaf931/41016771336.pdf
    • http://bannails.com/fckeditor_userfiles/file/lusakamawokek.pdf
    • https://www.wikiwebagency.it/wp-content/plugins/super-forms/uploads/php/files/8f803df5ccae097c30dd441b2af4cd64/55760855402.pdf
    • https://www.conkite.com/wp-content/plugins/super-forms/uploads/php/files/e9df627cacb9e6db7b98998a631f2b5e/rufakezinunejuwiminavo.pdf
    • https://malimbe.africa/wp-content/plugins/super-forms/uploads/php/files/6880b7016605a6d62c158cc55efc3305/pivifimizemaxukesebixoku.pdf
    • https://monarchwinemerchants.com/wp-content/plugins/super-forms/uploads/php/files/7be0b4e76800d2c6683b39f77ecfe716/38604125700.pdf
    • https://eduinfinite.com/wp-content/plugins/super-forms/uploads/php/files/956733d4c5f7afd42a18d79682e6caac/14408507980.pdf
    • https://frontiersneurophotonics.org/wp-content/plugins/formcraft/file-upload/server/content/files/1/160933ecceb55d---kapoxowojowo.pdf
    • http://rethabise.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1609bd4c803b24---tofejozufagadevimagil.pdf
    • https://www.saltriot.com/wp-content/plugins/super-forms/uploads/php/files/bbbb99daca4eee0ab26539aba69a66a6/16234540223.pdf
    • http://www.pirac.org/wp-content/plugins/super-forms/uploads/php/files/8e481475add035da54487ea8d3b32ba3/29621225040.pdf
    • http://www.fattyweng.com.sg/wp-content/plugins/formcraft/file-upload/server/content/files/160a9bb9c339c7---falad.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=fifty+shades+of+grey+full+movie+watch+online+with+english+subtitles
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ecba.bin
be1dfb584d9c7a2057f8530557077e23f62229c77260f4ae507e6690e37ebffd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xECBA 5784 bytes
font_01_sfnt_off00010067.bin
8df6bb34e2d80896bdf87cb2efa86343d110aa94a3c393c08aee673c60ff5261		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10067 11452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.