Malicious PDF — malware analysis report

Static analysis result for SHA-256 4899fa4b14f907d6…

MALICIOUS

PDF

76.9 KB Created: 2021-08-07 23:24:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 1dae5f056fa4cc6f633254b64079b40c SHA-1: e800faf323ec22d4a3e932303cf0ad807caebf2d SHA-256: 4899fa4b14f907d64415575900fdfd6ae4997ba5baccd229e11bcdde56d5a867
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many of which point to compromised websites or disposable domains, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs are indicative of a malicious link farm designed to lure users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=lengua+6+primaria+anaya+libro+digital
    • https://hgindustrial.eu/userfiles/files/81233785158.pdf
    • https://kalatranslation.co.uk/wp-content/plugins/super-forms/uploads/php/files/mc31j5jp2am0vs2bdhsnrnq44q/bixabikokuside.pdf
    • https://sharjahcements.com/images/bulk_images/files/mopom.pdf
    • http://www.vnos.vn/app/webroot/uploads/files/bikilazup.pdf
    • http://kaupa.cz/userfiles/file/46356892251.pdf
    • http://stopasbestos.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16080c9eb96207---86555422070.pdf
    • http://betaempire.com/uploads/userfiles/file/file/72076611868.pdf
    • http://www.eflox.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a25c5673595---renegopidiru.pdf
    • https://cruiseship.cruises/wp-content/plugins/super-forms/uploads/php/files/g98566johq2ks8toct885snfh3/dilexin.pdf
    • https://toptenstudy.com/upload/files/BodyFile__60BAEDF794B68.pdf
    • http://www.studiolegalefusimorelli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a1622f91977---vezitexejipodezinamafoxi.pdf
    • https://interesttour.com/wp-content/plugins/super-forms/uploads/php/files/1b898b1075b7d1abe1c4b5e2f0019d49/xepirodekuralerozakin.pdf
    • https://htddienstverlening.nl/userfiles/file/rasuv.pdf
    • https://www.18fire.com/wp-content/plugins/super-forms/uploads/php/files/7620e5ee4e9ac5ecaf8e75722418b6f2/8198973794.pdf
    • http://ok-poland.com/userfiles/file/41135052347.pdf
    • http://xn--80aafkqcanfpgnhbng3b5i9a.xn--p1ai/pict/file/kedexesulijel.pdf
    • https://alakharia.com/public_html/userfiles/file/juxemo.pdf
    • http://adamlegal.com/userfiles/file/19202193129.pdf
    • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1607e4ca93638a---fibofam.pdf
    • https://solener.info/ckfinder/userfiles/files/60196135964.pdf
    • https://glycocalyx.nl/userfiles/image/file/lazapipikotibeniruruj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c3e5.bin
269ca60fa0a1169093dc7b47e4445e598240e38a5c1eff0ac3e73f043da63f9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3E5 11044 bytes
font_01_sfnt_off0000dd2e.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD2E 16792 bytes
font_02_sfnt_off0000f540.bin
27bc61db4bf880206cedaa4f37e2496bf849fc893862734b186bfa506197ca05		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF540 18204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.