Malicious PDF — malware analysis report

Static analysis result for SHA-256 43617251b76a713e…

MALICIOUS

PDF

127.1 KB Created: 2021-07-01 00:34:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20
MD5: 17786f884a7d8e0667fd92cdbebad2bb SHA-1: 607920501d564c7c2feab8df31754e1a136d97e6 SHA-256: 43617251b76a713e6a2ad9a5c0aad22d44ae72a61a53e335862637968d628b09
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm pointing to compromised WordPress upload directories, suggesting a phishing or malware distribution lure. Although no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a phishing attempt, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9585

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.itbaloch.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b420592d314---sirimobitupe.pdf In PDF document text
    • http://www.majorisinvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b3e11619f4f---vemefafetabipot.pdfIn PDF document text
    • http://gabortech.comadmin/file/7958549191.pdfIn PDF document text
    • https://www.baileysmilk.com/wp-content/plugins/super-forms/uploads/php/files/320e89293ab49c990309cc4e07ac0d61/fosoxizemegixajejenapov.pdfIn PDF document text
    • http://dajuicebarus.com/uploads/files/34136717816.pdfIn PDF document text
    • http://gsoam.ge/wp-content/plugins/formcraft/file-upload/server/content/files/160997a5cf26b1---74037960788.pdfIn PDF document text
    • https://sandzak.best/wp-content/plugins/super-forms/uploads/php/files/08a22ff4ad1af43edd06178db949b491/30558037041.pdfIn PDF document text
    • http://trackeg.com/en/wp-content/plugins/formcraft/file-upload/server/content/files/160be7cac031ce---tovili.pdfIn PDF document text
    • http://prodesign31.ru/wp-content/plugins/formcraft/file-upload/server/content/files/16093c8c38de87---67400923771.pdfIn PDF document text
    • https://teplitsyoptom.ru/wp-content/plugins/super-forms/uploads/php/files/569dd4d2185ea630c454c6528410d3c3/lizixinilakodolo.pdfIn PDF document text
    • https://prawobrzeze.info/userfiles/file/39194417918.pdfIn PDF document text
    • https://gbagencement.fr/uploads/file/50788047932.pdfIn PDF document text
    • https://www.synergyheart2heart.team/wp-content/plugins/super-forms/uploads/php/files/qj8ggsncoojbr2pd7puk5u01td/67652498916.pdfIn PDF document text
    • http://cdn.eagle.mn/uploads/userfiles/files/70842125148.pdfIn PDF document text
    • http://ventilatoryzlin.cz/images/file/fatuxikefisatujeku.pdfIn PDF document text
    • http://www.drop-lok.com/wp-content/plugins/formcraft/file-upload/server/content/files/160be4588204f7---bufofumajotazazuk.pdfIn PDF document text
    • http://sakirnoopo.ru/wp-content/plugins/super-forms/uploads/php/files/c935ab84cd1d769ada66940d3e999fdc/270243040.pdfIn PDF document text
    • http://www.olympussverige.se/wp-content/plugins/super-forms/uploads/php/files/9aj21apgklhj5ikafmloka6d6c/busukasuwadeganu.pdfIn PDF document text
    • https://stef-nancy.fr/upload/document/riwewisexefin.pdfIn PDF document text
    • https://relaxationplusmn.com/wp-content/plugins/super-forms/uploads/php/files/b52a650a70001449c0b343c5e81067dc/27233263773.pdfIn PDF document text
    • https://hightechrustremovers.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160d0078204d76---3069772781.pdfIn PDF document text
    • https://airshow-bg.com/file/62939439122.pdfIn PDF document text
    • http://www.greenbriarpropmgmt.com/wp-content/plugins/super-forms/uploads/php/files/630b1503d30bcb7395cf0dfe32cf326e/xazadufivarewekebu.pdfIn PDF document text
    • http://www.sevenchurchestour.net/seven/wp-content/plugins/formcraft/file-upload/server/content/files/1608ff5db58941---70966144617.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/A3Ryygt5BCM/uplcv?utm_term=finger+pointing+at+mePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00016199.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16199 5892 bytes
SHA-256: dba469f31eb0de111840229593987531ada94d927d9bb67175c925e7add31738
font_01_sfnt_off0001776c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1776C 19276 bytes
SHA-256: 836bf617e65efcbff8d575ba6497a52a584caaef6b3a8f12a914800c67e5218b
font_02_sfnt_off0001a91f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A91F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_03_sfnt_off0001c136.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C136 10356 bytes
SHA-256: c57e0cc6285d1dcd884fbc5b2ea477e3b60bef2c43e8ce72e00f09b3094ceab4
font_04_sfnt_off0001d883.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D883 16236 bytes
SHA-256: d31dc96a7107996bc3cb07ff18c19ee30afeb02a4344526f6436ee06464bcd42