Malicious PDF — malware analysis report

Static analysis result for SHA-256 47ab4715127b3de9…

MALICIOUS

PDF

95.3 KB Created: 2021-10-06 15:11:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-25
MD5: 6a45198836814fc2c45cb06dbe777f6c SHA-1: 8ec94e79dded8b987c68433ea0a3872d64c465f3 SHA-256: 47ab4715127b3de94a02d92ea220c9a234bc7a07ba02a98ad83ee7a6003283ba
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF file identified as malicious by ClamAV and an ML classifier. It contains embedded JavaScript and multiple URLs pointing to compromised WordPress sites, suggesting it functions as a link farm. The presence of embedded JavaScript indicates potential for further malicious actions, such as exploiting vulnerabilities or redirecting users. The primary attack pattern observed is the use of a link farm on compromised infrastructure to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://newat.ru/wp-content/plugins/super-forms/uploads/php/files/4d47d2c11f975284ed10c6b7501fad75/rebafur.pdf In PDF document text
    • http://mrcookie.tw/upload/editor/file/01052802247.pdfIn PDF document text
    • http://www.theflightfest.com/wp-content/plugins/formcraft/file-upload/server/content/files/16153a251899b1---pidelaz.pdfIn PDF document text
    • https://rowsontw.com/shopadmin/upload/files/51549937613.pdfIn PDF document text
    • http://rotarycochinharbour.org/ci/userfiles/files/faxawegugemema.pdfIn PDF document text
    • http://boldogelet.hu/media/53050860431.pdfIn PDF document text
    • http://dogalakustik.com/depo/sayfaresim/file/dogexeruwu.pdfIn PDF document text
    • http://elvirajogsi.hu/ckfinder/userfiles/files/32275068257.pdfIn PDF document text
    • http://hk-sai.com/ckfinder/userfiles/files/novefavuxa.pdfIn PDF document text
    • https://priscar.com/documents/files/vekexupodozokegusu.pdfIn PDF document text
    • http://kraemer-duennebacke.de/files/file/83502441687.pdfIn PDF document text
    • https://pastijptoto.com/contents/files/duvefilogefaluxapanobuxi.pdfIn PDF document text
    • https://nevjegyzek.eu/uploads/file/favalewuri.pdfIn PDF document text
    • http://wakingbeauty.com/wp-content/plugins/formcraft/file-upload/server/content/files/1614b4c8b84453---jugifirivovegesukanutorox.pdfIn PDF document text
    • https://chungangroup.com/uploads/files/202109281015527684.pdfIn PDF document text
    • http://majortaylorride.info/images/uploaded/file/sivukogaposew.pdfIn PDF document text
    • https://goez3.com/10005001208290177/ckfinder/userfiles/files/nonaxapagaka.pdfIn PDF document text
    • http://ambvet-trefontane.eu/userfiles/files/vosafevuvakozefudo.pdfIn PDF document text
    • https://foodsafebox.com/ckfinder/userfiles/files/13001584643.pdfIn PDF document text
    • http://goodtraefarm.com/ckupload/files/82716887990.pdfIn PDF document text
    • https://ngaa.org.au/application/third_party/ckfinder/userfiles/files/80963976959.pdfIn PDF document text
    • https://agro-zavod.ru/app/webroot/js/ckfinder/userfiles/files/gilowigetewam.pdfIn PDF document text
    • http://warehousetraining.ie/images/92868276296.pdfIn PDF document text
    • https://strategieb2b.ca/userfiles/file/14126429914.pdfIn PDF document text
    • https://www.bakkersvlaanderen.be/resources/plugins/ckfinder/userfiles/0/files/xazadidopufozavewoba.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=rca+owner%27s+manualPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010499.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10499 23696 bytes
SHA-256: 066a498aaee188e45dbd9348db3f638aa795d9f1f28f2081ddad83a3459da21a
font_01_sfnt_off00013fa8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13FA8 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000157bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x157BF 10464 bytes
SHA-256: eecd755486ccdbef833cb454d474c1cda13cd665c1ba9e5ddb619571fa651acb