Malicious PDF — malware analysis report

Static analysis result for SHA-256 47a00c4780090944…

MALICIOUS

PDF

93.4 KB Created: 2021-08-31 18:06:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: eb4362853e3e0fad458d5b5de631f165 SHA-1: 2419b7d0a136a236ce119edd73cf254e5cf6cded SHA-256: 47a00c47800909446b01539d1366838d60aead4acbc7773090db1dc6595d4e64
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics reveal it functions as a link farm, with numerous URLs pointing to compromised WordPress sites. These links likely serve as lures for phishing or to distribute further malware, aligning with the 'Pdf.Phishing.Trojan' detection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gccpay.net/wp-content/plugins/super-forms/uploads/php/files/157f5743c4a14e32583355571bf0ce4b/39808344857.pdf In PDF document text
    • http://myarrahnu.com/mo_images/files/13324641760.pdfIn PDF document text
    • https://wentworthre.com/wp-content/plugins/super-forms/uploads/php/files/6c9b2b3aeb970fa465379bfe04a10157/lejibipudenefijifar.pdfIn PDF document text
    • http://www.orarestauratorisaf.it/wp-content/plugins/formcraft/file-upload/server/content/files/161152b41bbf3e---91474126569.pdfIn PDF document text
    • https://edukiya.com/wp-content/plugins/super-forms/uploads/php/files/7e55e26eed7ac5b2e53ae86d074dcd4f/bujunekejarelenukirovov.pdfIn PDF document text
    • http://www.dnevi-sekretarjev.eu/wp-content/plugins/formcraft/file-upload/server/content/files/161219620968fb---6107600484.pdfIn PDF document text
    • https://humantouchtranslations.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/160ac483e3db71---bafakoxigumogubonir.pdfIn PDF document text
    • https://ecoinkworld.com/wp-content/plugins/super-forms/uploads/php/files/e65fce22325b586dda3f5df4647dd008/22671394333.pdfIn PDF document text
    • https://cms.blauraum.com/wp-content/plugins/super-forms/uploads/php/files/4879616944ef09cb94170944a0fff1df/17318977171.pdfIn PDF document text
    • https://mls.lighting/wp-content/plugins/super-forms/uploads/php/files/35e74895fc41d933f3f86f96cf35cdb5/10524545587.pdfIn PDF document text
    • http://nagymester.com/userfiles/file/febolew.pdfIn PDF document text
    • http://www.next-conseil.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16088ed29c5295---nigivikapido.pdfIn PDF document text
    • http://xn--80aab8aioy.xn--p1ai/userfiles/file/musotulezabotojafilesewew.pdfIn PDF document text
    • https://digireg.si/upload/mawadatowurinepu.pdfIn PDF document text
    • http://www.misshandicap.ch/wp-content/plugins/formcraft/file-upload/server/content/files/16079fb1ca0fec---76465717226.pdfIn PDF document text
    • http://zonweringnederland.com/ckfinder/userfiles/files/tunokutelojatalijas.pdfIn PDF document text
    • https://stellabakingcompany.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bdf9d637982---sozuvofevenaxib.pdfIn PDF document text
    • http://www.catalogodecineargentino.com/wp-content/plugins/formcraft/file-upload/server/content/files/16070475723178---xewoxutiboxeb.pdfIn PDF document text
    • http://cavusofis.com/images_upload/files/20140026823.pdfIn PDF document text
    • http://perfectthesale.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c5ed8be1e6a---dufebefome.pdfIn PDF document text
    • http://ldbell1965.net/clients/85689/File/21149540325.pdfIn PDF document text
    • http://alphanaturehk.com/userfiles/file/7080997644.pdfIn PDF document text
    • http://avision-italia.com/userfiles/files/zesegasine.pdfIn PDF document text
    • https://edoxmarketing.com/wp-content/plugins/super-forms/uploads/php/files/4qfqsbmkudo4okb9beavvskoof/67310837604.pdfIn PDF document text
    • http://nhasachconggiao.com/luutru/files/28109253236.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3vuEKuznOb8/uplcv?utm_term=burning+pain+in+back+of+kneePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000109b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x109B3 17596 bytes
SHA-256: 37557441d5f78940978cad44fb69554bcbe22ac5b9a249d052270ddf628bac85
font_01_sfnt_off000136ea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x136EA 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00014f01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14F01 10728 bytes
SHA-256: a6f6afc91d13538980e16f18ad001f718fc768f25a471c4933f7788646cb290f