Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e73fd9bef4acc24…

MALICIOUS

PDF

89.7 KB Created: 2021-08-08 04:25:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 6202b3494f77d0c7383719f761e82e41 SHA-1: 009a3aa7939b07b95c94e74223a33280a9f59cc1 SHA-256: 3e73fd9bef4acc24cffd7f80e31eb24e4cf1a4e1a9bfbaa98334df18800a110c
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains a link farm pointing to multiple compromised websites and disposable hosting, suggesting an attempt to redirect users to malicious content. The presence of external URIs and a QR code lure further supports a phishing or SEO poisoning attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9932

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://genesisbehaviorcenter.com/wp-content/plugins/super-forms/uploads/php/files/9807974beae53a642d6f953773156fed/17275053329.pdf In PDF document text
    • https://slavica.ru/wp-content/plugins/super-forms/uploads/php/files/91f3916ceedcf655b1a038cd9b21c32f/35294866822.pdfIn PDF document text
    • http://daonshop.com/files/fckeditor/file/poxojimix.pdfIn PDF document text
    • http://jatyn.cn/upfiles/202105/file/1622397016.pdfIn PDF document text
    • http://dmn.ca/wp-content/plugins/formcraft/file-upload/server/content/files/160c482211a8ab---sipewidadof.pdfIn PDF document text
    • https://havadisname.com/upload/ckfinder/files/64846496138.pdfIn PDF document text
    • https://unibel.pl/pliki/upload/file/wasuvodifanivunosifabuni.pdfIn PDF document text
    • https://www.couleurs-et-jardin.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160ce88158d335---kidimi.pdfIn PDF document text
    • http://coytex.net//ckfinder/userfiles/files/79778893816.pdfIn PDF document text
    • http://casaalu.com/luutru/files/garifufajogup.pdfIn PDF document text
    • http://capitolmetrophysicaltherapy.com/files/files/46242086485.pdfIn PDF document text
    • http://jkbprivateiti.com/userfiles/file/kidekozugogolabekuzunuwor.pdfIn PDF document text
    • http://www.assignproject.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086e1fad867f---fegixo.pdfIn PDF document text
    • http://perfectthesale.com/wp-content/plugins/formcraft/file-upload/server/content/files/16105034d3fd55---ragur.pdfIn PDF document text
    • http://pansophers.com/wp-content/plugins/formcraft/file-upload/server/content/files/160f4a8d419fc0---pezasenizat.pdfIn PDF document text
    • http://www.uppld.org/wp-content/plugins/formcraft/file-upload/server/content/files/160ac38143542b---40123419379.pdfIn PDF document text
    • https://www.guestquesttravelmedia.com/wp-content/plugins/super-forms/uploads/php/files/gqcl3igd6gdrtn9d062fhlkqa3/godofasawevujufadukedopef.pdfIn PDF document text
    • https://trsbarriersdirect.com/wp-content/plugins/super-forms/uploads/php/files/kt59tnqe2cikpe7flgbqkgephp/32263304705.pdfIn PDF document text
    • http://uniquestatues.com/clients/9/91/91c6e204ee4529d3b478b0717040545d/File/57855866573.pdfIn PDF document text
    • https://fortlauderdale-carservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608c5faa2b0dd---94024056530.pdfIn PDF document text
    • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/8d999e797d834522c617039a41f5d493/putefududibaxunofirijaka.pdfIn PDF document text
    • http://www.findvoters.com/userfiles/file/rivelezejepudikomileti.pdfIn PDF document text
    • https://birudongker.com/contents//files/tavuneten.pdfIn PDF document text
    • http://fruitofthespiritcatering.com/clients/9/9e/9e5e3efd27976f294ade36eaf76108d7/File/purafaxosa.pdfIn PDF document text
    • http://farmaciafoglia.eu/userfiles/files/91005592906.pdfIn PDF document text
    • https://wurstfargo.com/wp-content/plugins/super-forms/uploads/php/files/5ca13f8840206b8e812600c67075196f/48187511999.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=tem+como+adicionar+dinheiro+no+picpay+com+cartao+de+creditoPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f555.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF555 19232 bytes
SHA-256: d08c8344cae06b5abe70aa1ef67429daafc60c55ab3105f6548523dab758200c
font_01_sfnt_off0001253f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1253F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00013d56.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13D56 10644 bytes
SHA-256: a1ae904baa2ec8ab26a9ef23f3b7dd802aaebc36b6a767d5c956f57fcd4b52e2

Open this report in the interactive analyzer, or submit your own file for analysis.