Malicious PDF — malware analysis report

Static analysis result for SHA-256 490064b48aae3ff5…

MALICIOUS

PDF

83.3 KB Created: 2021-07-05 16:49:33 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 0906ae78575db1f04f5028c9201cc6d9 SHA-1: b7aad44a48351387a6546cd365339ab0e8da0e07 SHA-256: 490064b48aae3ff57ecac01d45f33d148f350fbfb42db137ac921cdb5905c8e7
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by ClamAV as a phishing trojan. The heuristics indicate it functions as a link farm, with many URLs pointing to compromised WordPress sites and disposable hosting. Crucially, a 'Clipboard command execution lure' heuristic fired, suggesting the document instructs the user to copy and paste commands into a shell, a common technique for downloading and executing further malicious content. No scripts were extracted, but the overall pattern suggests a malicious document designed to lure the user into executing commands.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=how+to+combine+two+jpg+files+into+one+pdf PDF link annotation
    • https://eclipsetheaters.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607bb59f78987---jipafoxozizopapuvotunupoz.pdfIn PDF document text
    • https://www.adilaltinsoy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f352fa2171---gikabavojozukupoxujazaki.pdfIn PDF document text
    • http://www.medicellbank.com/userfiles/files/lipowuzetoxegidusafisev.pdfIn PDF document text
    • https://www.heracles-hotel.eu/wp-content/plugins/super-forms/uploads/php/files/hl19u3sfvtv8kseo55a4q150oe/nisimesezopav.pdfIn PDF document text
    • http://erkerlaender.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606d65e6609b1---2495071008.pdfIn PDF document text
    • http://weddingdiy.cc/uploadfiles/files/20210608_123656_9741.pdfIn PDF document text
    • http://www.sunarpazarlama.com/wp-content/plugins/super-forms/uploads/php/files/ttrefpv3pkb7hrhbmovtkd48g3/gilavemevozomowupa.pdfIn PDF document text
    • http://bogieclassof67.com/clients/71235/File/timuxajefuwak.pdfIn PDF document text
    • http://geobigoni.it/userfiles/files/suwewofexag.pdfIn PDF document text
    • http://kotolantopeni.cz/file/28152378607.pdfIn PDF document text
    • https://www.aserspa.net/wp-content/plugins/super-forms/uploads/php/files/k6stqjml0ahsj890i50dltnseu/40068260771.pdfIn PDF document text
    • http://www.altrus.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160793c16933c2---vaxinozigudetuzemukut.pdfIn PDF document text
    • https://gradeagroup.com/wp-content/plugins/super-forms/uploads/php/files/4dcn0vcffce35o8hd032kae5ff/zaxuvijofe.pdfIn PDF document text
    • https://falconshipping-uae.com/userfiles/files/5160649385.pdfIn PDF document text
    • http://bukharasuwanee.com/sites/default/files/file/ruwomilikaginagi.pdfIn PDF document text
    • http://julieesteban.com/wp-content/plugins/formcraft/file-upload/server/content/files/160941ff789334---17629622961.pdfIn PDF document text
    • https://aawyx.com/sites/default/imageuser/file/96136712703.pdfIn PDF document text
    • https://sf-tfi-pgu.uz/wp-content/plugins/super-forms/uploads/php/files/b6dae50b5554980fe91e79537c0a4883/lirovikowu.pdfIn PDF document text
    • https://cambodiadriverservice.com/userfiles/file/99102975822.pdfIn PDF document text
    • https://eatorhours.org/e-bussiness/fckimages/file/14168442206.pdfIn PDF document text
    • http://wearebryants.com/clients/3/3b/3bb22ab34fb8fe691aabc4d0498f9caa/File/25273940823.pdfIn PDF document text
    • https://www.nobleorthodontic.com/wp-content/plugins/super-forms/uploads/php/files/8ef9208f63e3b744c1adfe2b7d821291/38306463357.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2BA 16728 bytes
SHA-256: 435a72c7390aa02c65d5c70646d9806a1111cbda997bc397020e3727817b6b92
font_01_sfnt_off00010e8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10E8A 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off000126a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x126A1 11048 bytes
SHA-256: e5861ad65945a9cdc4aca1d70c49f63ea29b8d6ec9a8b6aadf9eeba601a61424

Open this report in the interactive analyzer, or submit your own file for analysis.