Malicious PDF — malware analysis report

Static analysis result for SHA-256 420dc263cdd8aa55…

MALICIOUS

PDF

83.5 KB Created: 2021-09-05 12:13:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 27a10472a0d8c80ce6f84318f855b142 SHA-1: 21981e453528a614f0e0aa860012b884d4a035cc SHA-256: 420dc263cdd8aa55d2d79001abe7065a224e17275c7df9bdd6659b239b9304b8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. It contains numerous URLs, many of which point to disposable hosting or compromised CMS uploads, suggesting a link farm or phishing lure. The presence of PDF-specific heuristics like 'PDF_SEO_DISPOSABLE_LINK_FARM' further supports this, indicating the document's primary purpose is to redirect users to external, potentially malicious, sites. No scripts were extracted, but the overall structure and URL distribution strongly suggest a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://digireg.se/upload/xovaguvipofusosatu.pdf In PDF document text
    • https://west-holding.com/userfiles/file/juvaxuwuvi.pdfIn PDF document text
    • http://dakmet.pl/upload/zubiziziguxi.pdfIn PDF document text
    • http://progettogeometra.it/userfiles/files/poguzeduxovubibibagasex.pdfIn PDF document text
    • http://royalwedding.jp/images/blog//file/29186162655.pdfIn PDF document text
    • http://carolstoecker.com/clients/c/c6/c60e280709801842a26e47e23f21f170/File/90883663216.pdfIn PDF document text
    • http://www.opencalgary.org/wp-content/plugins/formcraft/file-upload/server/content/files/160f0869e1c712---zenakanemewojo.pdfIn PDF document text
    • http://marymo.ru/uploads/files/fexiviwiwe.pdfIn PDF document text
    • http://veoguidecostarica.com/ci/userfiles/files/33726904485.pdfIn PDF document text
    • http://dichvugiayphep.net/hinhanh_fckeditor/file/72301343617.pdfIn PDF document text
    • https://anzmrrn.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606cbaf915706---fuvudupenovu.pdfIn PDF document text
    • https://sealordhotels.com/ckfinder/userfiles/files/97950415949.pdfIn PDF document text
    • http://fitviewer.com/files/file/zoraxiparejagevu.pdfIn PDF document text
    • https://hansenlight.com/UploadFile/files/7764059330.pdfIn PDF document text
    • http://bagumul.com/file_upload/spaw_upload/file/20210519183158.pdfIn PDF document text
    • https://gearforfree.com/wp-content/plugins/super-forms/uploads/php/files/1slpensbsmqag17i1mm6nqu0q6/81088933917.pdfIn PDF document text
    • https://www.asahinadigital.com/wp-content/plugins/super-forms/uploads/php/files/ak0a9osgsdtt4bt77413h87ndc/xidozapisuxijomokejapo.pdfIn PDF document text
    • http://hjhchem.com/upload/files/55000034553.pdfIn PDF document text
    • https://www.gsccn.it/wp-content/plugins/formcraft/file-upload/server/content/files/1612f2303f0f2d---valawuzadiz.pdfIn PDF document text
    • https://dakhoathienhoa.net/images/files/nemon.pdfIn PDF document text
    • https://grandiosieventinuziali.it/filesUploads/file/xasibuxuzaw.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=ipad+user+manual+pdfPDF link annotation
    • http://lovewhereyoulv.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/93179c9e7fc6e9b0bc0ce8cc71077b95/75009575394.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE9E 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000f6b5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF6B5 10400 bytes
SHA-256: b4897389a425c69a681cb863213505247881e471b6a97be75a64a020b8065921
font_02_sfnt_off00010e29.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E29 19956 bytes
SHA-256: 183af3927ea6fd27b5236b14078aa74c9238354d749962213090bea943b0d937