Malicious PDF — malware analysis report

Static analysis result for SHA-256 49177f796f936465…

MALICIOUS

PDF

81.4 KB Created: 2021-07-20 03:42:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 19530d854190ea9068f32671e7ece7b2 SHA-1: 9207505954308b7d518aa400bc866c8c3887673b SHA-256: 49177f796f93646567e766e4c357201f26cbb4cb012e63f24d5a1922d046538c
176 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as malicious by ML classifiers and ClamAV, indicating a phishing or trojan threat. The document exhibits characteristics of a callback phishing or tech-support scam by presenting a lure that prompts the user to call a phone number. While no scripts were directly extracted, the presence of numerous external links, some pointing to compromised CMS uploads and disposable hosting, suggests a link farm designed to redirect users to malicious content or phishing pages. The document's structure and embedded links align with common phishing tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9949

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wotfiles.com/ckfinder/userfiles/files/2858543440.pdf In PDF document text
    • http://xn--h49al33a2zdp0eo1x.com/DATA/file/20210517213408.pdfIn PDF document text
    • http://piemonteforyou.it/userfiles/file/96316211911.pdfIn PDF document text
    • https://datatech-int.com/userfiles/file/keluworumusa.pdfIn PDF document text
    • http://ithaca1961.com/clients/875375/File/buxajonanuwawonedirux.pdfIn PDF document text
    • https://www.areatransfers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607c3ab4c551d---dakukeferuxoker.pdfIn PDF document text
    • https://besi.co/ckfinder/userfiles/files/10565243568.pdfIn PDF document text
    • http://gvs-russia.ru/admin/ckfinder/userfiles/files/30614751741.pdfIn PDF document text
    • http://artmetinc.com/wp-content/plugins/formcraft/file-upload/server/content/files/160967d3ccca38---tafusiturunokelop.pdfIn PDF document text
    • https://www.mozartcantat.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1607d24ee13d12---90645725846.pdfIn PDF document text
    • https://gk-termopanel.ru/wp-content/plugins/super-forms/uploads/php/files/41560ab01f5c80e41fa7f7b203321c63/bejiwuvabujirol.pdfIn PDF document text
    • http://www.maoles.com/wp-content/plugins/formcraft/file-upload/server/content/files/160733e93a7b38---13351490234.pdfIn PDF document text
    • https://micast.de/wp-content/plugins/super-forms/uploads/php/files/886scnmr92cj5b9gebd6hup914/89532069480.pdfIn PDF document text
    • http://phuwangnam.com/user_file/file/mabokituviwebuj.pdfIn PDF document text
    • https://baptistfriends.org/media/sigamixal.pdfIn PDF document text
    • https://spazmedia.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0933083d72---64474557633.pdfIn PDF document text
    • https://www.sanier.pl/wp-content/plugins/super-forms/uploads/php/files/7pamnci8r2o1qi89o8i2nj1t25/59800748301.pdfIn PDF document text
    • http://2girlstrippin.com/wp-content/plugins/formcraft/file-upload/server/content/files/16080f5a3ae4de---koreseladijinajodonuguj.pdfIn PDF document text
    • https://wpsqld.com.au/wp-content/plugins/super-forms/uploads/php/files/7085d89d6848471c39b09ab6414b85d6/41122329061.pdfIn PDF document text
    • https://giverny-bkk.com/upload/files/38459117624.pdfIn PDF document text
    • http://www.pianoszimmermann.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160f60c114fe55---munidukolixosefumanabo.pdfIn PDF document text
    • http://buergerforum-tirol.at/file/19466969936.pdfIn PDF document text
    • https://deedpoll.sg/wp-content/plugins/super-forms/uploads/php/files/3e6a0fe721e7875bc200866bffca14ba/16675166542.pdfIn PDF document text
    • http://mdc.ir/ckfinder/userfiles/files/sisave.pdfIn PDF document text
    • https://www.18fire.com/wp-content/plugins/super-forms/uploads/php/files/f082f4d5d283332ca51131e14511b9f6/20501323072.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/GLLx1DTH0VQ/uplcv?utm_term=hotels+near+dale+hollow+lakePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d9a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD9A7 17772 bytes
SHA-256: 8ac20d91e93be7ce99a1ee6d9073b11881684bc8073d8e76ea68f6614833d632
font_01_sfnt_off00010888.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10888 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001209f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1209F 10420 bytes
SHA-256: d8b592f1b586f99727614ba266b41154f18b168a6fd0f66dffb906d1e7d4fd3b