Malicious PDF — malware analysis report

Static analysis result for SHA-256 3da60fb3f5385ac8…

MALICIOUS

PDF

87.6 KB Created: 2021-07-09 06:13:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: b5b634e911a2348329993ddc45ffed38 SHA-1: 59a6e73a2572f6592b31d6c0655f62169779ccd8 SHA-256: 3da60fb3f5385ac8752b808bb827dd4d0a408f4128f010615d38e3053c6be5ba
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by ML classifiers and ClamAV as malicious, indicating it likely serves as a phishing or malware distribution vector. The heuristics reveal it functions as a link farm, pointing to numerous compromised WordPress sites and disposable hosting domains. These links are likely intended to lure users to malicious content or exploit kits.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9947

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cnkls.com/userfiles/file/1624934729.pdf In PDF document text
    • https://earthideasawnings.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a3436131285---21961780252.pdfIn PDF document text
    • https://srp-galabau-rostock.de/wp-content/plugins/super-forms/uploads/php/files/fbg25sl0747dvtni2thm1r3hm9/xapulilixamisafixa.pdfIn PDF document text
    • http://tahi.hu/ckfinder/userfiles/files/polusikanasovaxebivaros.pdfIn PDF document text
    • https://tripleccompanies.com/wp-content/plugins/super-forms/uploads/php/files/02d8c6eea6a9b4fefd399d5b386dde08/kevuvanizezegefuvakok.pdfIn PDF document text
    • https://hbphoto.ca/resimler/files/zukeridimezog.pdfIn PDF document text
    • https://40parables.com/wp-content/plugins/super-forms/uploads/php/files/8a3956306f835489bf82a011a0539289/guramibuzukuzegik.pdfIn PDF document text
    • https://thesmithgrouphouston.com/wp-content/plugins/super-forms/uploads/php/files/6a98ecced7f70bab0db65ffff8c5c27b/25505627807.pdfIn PDF document text
    • https://noble-worldwide.com/wp-content/plugins/super-forms/uploads/php/files/079b2d4e38e9ae81493f5a26fa80eb15/ditalewigebanixuv.pdfIn PDF document text
    • http://sinara.org.br/wp-content/plugins/formcraft/file-upload/server/content/files/1606fe29bb6984---43376096382.pdfIn PDF document text
    • http://smart-ventures.ch/upload/Editor_Images/files/70766076710.pdfIn PDF document text
    • http://trans-serwis.com/userfiles/file/2354916771.pdfIn PDF document text
    • http://adhdadvisory.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c3da79a2113---90593062185.pdfIn PDF document text
    • https://www.sussexweddingservices.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/160c8f0ab3e3fe---nokizajuposo.pdfIn PDF document text
    • http://senseoftourism.dk/userfiles/file/40438360969.pdfIn PDF document text
    • http://associacaoguainumbi.org.br/wp/wp-content/plugins/formcraft/file-upload/server/content/files/1607202d9d0ebf---soxusekeruvoluruwokulid.pdfIn PDF document text
    • https://cosalesrep.com/wp-content/plugins/super-forms/uploads/php/files/8eb2b0f7f5cf11438670cac1a9473b59/rumuxedamekasusob.pdfIn PDF document text
    • https://victory-agency.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085ba4e41f14---wemirirajok.pdfIn PDF document text
    • https://thetitangroup.ca/wp-content/plugins/super-forms/uploads/php/files/ae41ba73fb75ce0da245c6f1976c5aed/kamas.pdfIn PDF document text
    • http://93564497.com/userfiles/nevizubinozuwemokaxuxumen.pdfIn PDF document text
    • https://www.birdandwildlifeteam.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088340c8d4b3---rilimezuveleliwuz.pdfIn PDF document text
    • https://cradlegold.com/wp-content/plugins/super-forms/uploads/php/files/90afa5j893heabl34ie0e9rd47/42838386872.pdfIn PDF document text
    • https://x-software.cz/data/file/44663939171.pdfIn PDF document text
    • http://www.expertnutritionadvisor.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c772d51ed8---devebibekolurom.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/DOqCt-cVA4I/uplcv?utm_term=commitment+of+traders+reportPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef28.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEF28 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001073a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1073A 18684 bytes
SHA-256: d3419f912eef81b1691d4e3f338c8d0e5f48c94d1166b2be4d6cc1125503f886
font_02_sfnt_off000138aa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x138AA 10644 bytes
SHA-256: b6ce8ae40a6fc8c6324ed1b584cbb8e30f625faebcdf5d1a30868dae7c7a57a8