Malicious PDF — malware analysis report

Static analysis result for SHA-256 44d7cd7d0782c481…

MALICIOUS

PDF

73.4 KB Created: 2021-09-23 00:21:09 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-16
MD5: d3f5051a1bdc385e9b7c39f29f79ba09 SHA-1: 14a4eda283381d3be13d231245b3a0c2f30e96f9 SHA-256: 44d7cd7d0782c48109e6d6a2bbbe72bccfa8e8e41a7c864c14e42292fb6e97d8
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript and multiple external URIs, some of which point to compromised CMS upload storage and disposable hosting, indicating a link farm designed to redirect users. Heuristics for urgency lures, download buttons, and callback phishing suggest a social engineering attempt to trick the user into clicking a malicious link. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 10

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tommytest.dish1314.com/data/html_editor/files/50978031154.pdf In PDF document text
    • http://infosierra.es/images/editor/73136905950.pdfIn PDF document text
    • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/cc4d6d8903a1221b674736c1802cc8b7/koxorukakujupusatovilena.pdfIn PDF document text
    • http://thevalleytrader.com/files/nenazazunemureburod.pdfIn PDF document text
    • http://2990592.ru/ckfinder/userfiles/files/ritut.pdfIn PDF document text
    • https://giraffeng.net/infodaily/gen-ckfinder/userfiles/files/tufoborebejujukak.pdfIn PDF document text
    • https://coolinterier.sk/upload/files/36157061606.pdfIn PDF document text
    • http://satuldelut.ro/ckfinder/userfiles/files/47422974409.pdfIn PDF document text
    • https://francoisdaulte.com/ckfinder/userfiles/files/tululosimivukanukazizuba.pdfIn PDF document text
    • http://studio-rivetti.it/userfiles/files/75438789425.pdfIn PDF document text
    • http://www.olympussverige.se/wp-content/plugins/super-forms/uploads/php/files/mlhkefg8m999ev92f5lqfhf03n/17937508377.pdfIn PDF document text
    • http://tantos.jp/js/upload/files/nokowij.pdfIn PDF document text
    • http://www.finanzanlagen-honorarberatung.de/wp-content/plugins/formcraft/file-upload/server/content/files/16130d7cf1f5b2---1106155787.pdfIn PDF document text
    • http://gesundezellen.com/neu/userfiles/file/xipite.pdfIn PDF document text
    • http://gramercygrand.ru/files/file/18010204853.pdfIn PDF document text
    • http://es-umzuege-transporte.de/wp-content/plugins/super-forms/uploads/php/files/889ffbbbb73552484a86c620722a2e78/59302682335.pdfIn PDF document text
    • http://roland-toys.eu/userfiles/file/37302624743.pdfIn PDF document text
    • https://matrixx.lu/images/76016433148.pdfIn PDF document text
    • http://henskeschildersbedrijf.nl/upload/wapilategafuj.pdfIn PDF document text
    • http://henca.com/files/details/file/55649760578.pdfIn PDF document text
    • http://gabinetpro.gabinetpro.pl/kosmetyczka/krakow/files/60312031638.pdfIn PDF document text
    • https://pratham.one/file/domekudupoj.pdfIn PDF document text
    • https://angkagenap.com/contents/files/76708872407.pdfIn PDF document text
    • http://otoozevran.com/resimler/files/60957556506.pdfIn PDF document text
    • http://farmandari-sarvestan.ir/images/news/files/biwuro.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=live+wallpaper+for+free+iphonePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bd03.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBD03 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000d515.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD515 16912 bytes
SHA-256: 38b125236728c05efd717fdb0bd9dee82c777722cbe70eb3931c30afcae93545
font_02_sfnt_off000100b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100B7 10296 bytes
SHA-256: 024c5771b6ed21bc3ed7bd9508b524cdec1463350ac46fca2aa1d413ca6ccdfa

Open this report in the interactive analyzer, or submit your own file for analysis.