Malicious PDF — malware analysis report

Static analysis result for SHA-256 48c9876a2ec7670c…

MALICIOUS

PDF

164.0 KB Created: 2021-06-19 10:55:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-23
MD5: b5c4c725b78246a7e7e37b5eae9cd3b4 SHA-1: 65f35a7c2b8490b0769c82dc98b1957c3ac42368 SHA-256: 48c9876a2ec7670c99ed45a43ac368941873bdff2ea17bc7977344ac1f725d84
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a 'clipboard command execution lure', instructing the user to copy and paste content into a shell, which is a common technique for downloading and executing secondary payloads. The document also contains numerous links to external sites, many of which appear to be compromised WordPress installations, suggesting a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.goldenlantern.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16078418820178---vanikodaxuwurus.pdf In PDF document text
    • https://duext.com/wp-content/plugins/super-forms/uploads/php/files/c3eb90a885c4ebd674c9ff37b5b50b2a/47377741685.pdfIn PDF document text
    • https://www.webplease.it/wp-content/plugins/super-forms/uploads/php/files/58t36ui0bpufgr44ahp7v33ioe/76737282315.pdfIn PDF document text
    • https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/08700cd173273db7f2d2ab3a1fa81488/xikikojetu.pdfIn PDF document text
    • http://www.nisbd.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609ce7ad617b6---xuferuw.pdfIn PDF document text
    • https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160b1ea796cdd6---86485767195.pdfIn PDF document text
    • http://sequoia59.com/clients/867919/File/widoxomirebes.pdfIn PDF document text
    • https://www.nestroots.com/wp-content/plugins/super-forms/uploads/php/files/bb26qfq7nnfn4v6fvfo2fh7pj7/84779886664.pdfIn PDF document text
    • http://www.gametimecatering.com/wp-content/plugins/formcraft/file-upload/server/content/files/160cc02ae5fa54---84669679569.pdfIn PDF document text
    • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/1830775b3d0e034f29b2df65c25cdda2/turejaret.pdfIn PDF document text
    • https://ngoctraithaibinhduong.com/uploads/news_file/4050738442.pdfIn PDF document text
    • https://moto-trend.cz/public/files/fck/file/56769533262.pdfIn PDF document text
    • http://autoset66.ru/admin/ckfinder/userfiles/files/puxiwijaxebapifusubamit.pdfIn PDF document text
    • http://sh8ke.com/wp-content/plugins/formcraft/file-upload/server/content/files/16072fa631085c---62135077092.pdfIn PDF document text
    • http://tofuyatogo.com/uploads/files/93974976012.pdfIn PDF document text
    • https://www.fmworks.com.tr/wp-content/plugins/super-forms/uploads/php/files/lg8h83hqo63bq8bhujbsogi1aq/xitivel.pdfIn PDF document text
    • http://lavera.it/wp-content/plugins/formcraft/file-upload/server/content/files/16092f1dfed69e---59059577942.pdfIn PDF document text
    • http://www.tenniscanberra.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/16091efd7b9baf---52425968110.pdfIn PDF document text
    • http://foire-fromages-et-vins.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608d431ab6fb9---josotalijavaxukofiw.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/1xuhb7AK25c/uplcv?utm_term=office+2019+1clickPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000e739.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE739 107672 bytes
SHA-256: bb2ebe6c10acc49c245f9734579994e2931b72bbc535eff2d4861e2b36ebb73f
font_01_sfnt_off000220bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x220BD 4964 bytes
SHA-256: 127adba00f3282492db8669b46aab6d7b7593ddffd6be2c4b1dc2ab6f32042bc
font_02_sfnt_off000231cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x231CD 2188 bytes
SHA-256: 0cba946a1011763a5b3d0f440c704485f6d2ad2f79782fb9b8a000d9d1d112c6
font_03_sfnt_off00023b97.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23B97 11208 bytes
SHA-256: b2c2ae0f92b09050ebb70e2b457147f84d82a1836bd36f8ed63ccdfd71335fb1
font_04_sfnt_off000261c3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x261C3 17364 bytes
SHA-256: e491a19cd6345df2d70fcbb83e7dddae83337b8b039c89571d33d24a0cee15a1
font_05_sfnt_off00027a4f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27A4F 1740 bytes
SHA-256: e51ca0148e7e0aae4eb42a5f75a65a08a0f66e9857e45ec5485c6aa46bc5905c

Open this report in the interactive analyzer, or submit your own file for analysis.