Malicious PDF — malware analysis report

Static analysis result for SHA-256 40f6862c9a8dfc5a…

MALICIOUS

PDF

81.5 KB Created: 2021-11-05 23:03:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 00eb4f5cf94365bb7a3a200cba634246 SHA-1: c7ac9b568704fcfad4e7acac2dd270d964f06a4b SHA-256: 40f6862c9a8dfc5ad2cf2380572b30fde9d57cc4e92105726b0720fd49a72995
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains numerous external links, many of which point to compromised websites or disposable hosting, suggesting a phishing or malware distribution attempt. The presence of a 'download button' heuristic further supports a lure-based attack. While no scripts were explicitly extracted, the ClamAV detection and ML classifier strongly indicate malicious intent, likely involving the exploitation of PDF vulnerabilities or the delivery of a secondary payload via the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9949

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=tere+naam+full+movie+hd+1080p+download PDF link annotation
    • https://yuanfuconstruction.com/ckfinder/upload/files/lelivoratoz.pdfIn PDF document text
    • http://5percent-design-action.com/upload/users/files/tafojubowiwilarogem.pdfIn PDF document text
    • http://harchovyk.com/userfiles/file/kevukipezekujov.pdfIn PDF document text
    • https://hamzsabegi60szallo.hu/UserFiles/File/lokodiwogegazoxidewib.pdfIn PDF document text
    • http://videocycling.info/files/file/gagoxuno.pdfIn PDF document text
    • http://budka39.ru/files/1225460589.pdfIn PDF document text
    • http://songhandiban.com/uploadfile/file/2021103118081273499.pdfIn PDF document text
    • http://slabowidzacy.smprzemysl.pl/ckfinder/userfiles/files/ludalavowujuzadiga.pdfIn PDF document text
    • http://rancholasmonturaspremios.com/campannas/file/97500755929.pdfIn PDF document text
    • http://smithmurdock.com/wp-content/plugins/formcraft/file-upload/server/content/files/1616dffec6d1fb---59172830391.pdfIn PDF document text
    • http://kliknetezde.cz/admin/obrazky/file/nobenexazijowes.pdfIn PDF document text
    • http://nerezove-kuchyne.cz/UserFiles/File/fuzajibuvizekezaguzo.pdfIn PDF document text
    • http://www.serenissimaservizi.com/files/57365532796.pdfIn PDF document text
    • http://ever-pioneer.com/upload/files/27181670235.pdfIn PDF document text
    • http://tsradviseurs.nl/mailing/images/photo/file/gololevusomuzovan.pdfIn PDF document text
    • https://brothers-music.com/ckfinder/userfiles/files/jesamaloxam.pdfIn PDF document text
    • http://xn--9w3b270a7kf.kr/ckfinder/userfiles/files/52356431587.pdfIn PDF document text
    • http://tele-fonika.pl/upload/file/lisimun.pdfIn PDF document text
    • http://nousgarage.com/userfiles/file/dopogixetitute.pdfIn PDF document text
    • http://moretonassets.net/userfiles/75561893540.pdfIn PDF document text
    • https://myshalewell.com/userfiles/file/zugul.pdfIn PDF document text
    • https://www.hit-education.com/wp-content/plugins/super-forms/uploads/php/files/3sakotm2bhaka98jahoe95tels/65959333435.pdfIn PDF document text
    • http://psn-monolit.ru/img_file/files/60266789153.pdfIn PDF document text
    • https://yastudio.net/wp-content/plugins/super-forms/uploads/php/files/7a66b40bba9e9f1e30f741639a85bebe/32889880452.pdfIn PDF document text
    • https://satellietgroep.nl/userfiles/files/jiwitewikukevuzegufis.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d70a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD70A 18396 bytes
SHA-256: 21ef52aa1795ecc6d476975f67cba87b041606acb46bfab78764ee418dad9226
font_01_sfnt_off00010756.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10756 16540 bytes
SHA-256: 45015263e28dbf00792e0fa83ae0fb9123af5110209f191c00797c49350166ef
font_02_sfnt_off00011e7c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11E7C 11092 bytes
SHA-256: f9625d303f5658dcf1f571ab11ca5c8c9ea4f5d20b7aed8fe269875617878656