Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ad4fe82b0104814…

MALICIOUS

PDF

112.4 KB Created: 2021-07-01 00:20:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 9887d5d2b5ab72627f1ca0f340ba771d SHA-1: 1aac93e981eb9b4617bac48f0e48b7d5b9fcde80 SHA-256: 4ad4fe82b01048141e1f24a77840002658ea1172e22aad6d6a1a755a0dadf659
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains a link farm that directs users to multiple distinct hosts, many of which appear to be compromised WordPress installations. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or redirecting to further malicious content. No scripts were extracted, but the structure and URL patterns are consistent with a phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9664

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shinserviceodi.ru/wp-content/plugins/super-forms/uploads/php/files/359fa7f442975d519ba7caa4e68b7d8b/remepepafuredasowim.pdf
    • https://stpetejazz.com/wp-content/plugins/super-forms/uploads/php/files/5so18ga34lq3j587118oo4eu5j/16974571619.pdf
    • https://www.popcaffe.it/wp-content/plugins/super-forms/uploads/php/files/74b1e3eb2c720ae4a99054ccfe8e41de/7319683312.pdf
    • https://phuquiland.com/upload/files/41641125791.pdf
    • http://manixcnc.com/ckupload/files/54142457960.pdf
    • https://fastcomputer.vn/wp-content/plugins/super-forms/uploads/php/files/53d39c0935158bb9bf0fd03602b3b895/sitebev.pdf
    • http://gloucesterclassof81.com/clients/23558/File/10579614620.pdf
    • http://zubrcup.by/files/files/35801799991.pdf
    • https://balance-global.com/wp-content/plugins/super-forms/uploads/php/files/lh21v2tad6o7j6eus9orn77qoo/narozupi.pdf
    • http://cuatro-pr.org/sites/default/files/file/lexegavel.pdf
    • https://yidinfo.net/wp-content/plugins/super-forms/uploads/php/files/jft7bu2to3hvfphuvnml5ndhv7/71082783309.pdf
    • http://www.miamiairportlimo.net/wp-content/plugins/formcraft/file-upload/server/content/files/160c3a6e5a8a75---8631818480.pdf
    • https://phase1acoustics.com/wp-content/plugins/formcraft/file-upload/server/content/files/16099c1f17452d---nakavakujononu.pdf
    • https://intrigantka.ru/images/userfiles/file/61457960362.pdf
    • http://cargo3030.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160891e9423b42---45204631743.pdf
    • http://pvsystexperts.com/wp-content/plugins/super-forms/uploads/php/files/gicsg46j7lipmqa7qf96c4hfa7/bexobidazuledixeti.pdf
    • https://www.isgs.org/wp-content/plugins/super-forms/uploads/php/files/2df850bef5259a3393f220b34bd40062/titowi.pdf
    • http://aelma.com/sites/default/userfiles/file/bovelajatuxulikenevim.pdf
    • https://alshaabcoop.com/userfiles/file/38800746376.pdf
    • http://tunglamgarden.com/images/fck/file/50014929905.pdf
    • http://nowyhotelik.pl/userfiles/file/valadivejul.pdf
    • https://www.coconutlodge.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbd89511323---mejefupapeberasisu.pdf
    • https://wonkingchina.com/d/files/45210249780.pdf
    • https://www.azulejositurry.com/wp-content/plugins/super-forms/uploads/php/files/si999a4epjueae5544m190plo4/xeziguxaramimake.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/6naE_Nh8_CY/uplcv?utm_term=word+for+mitigate
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000179cd.bin
4625d58dba34bfcf229ce144b2d5c675b2354c00c21ea5e549d0d4d54d94be1d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x179CD 19784 bytes
font_00_sfnt_off000111e1.bin
557fc4559e95226763670795660e586ef4278f34f12e4f71a85e6494ca400b44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111E1 26104 bytes
font_01_sfnt_off000150cc.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x150CC 16792 bytes
font_02_sfnt_off000168d9.bin
a37ad689089c2a46f5f5d1212d6847e6877e0993986925e641fc612a95014438		 pdf-font-stream PDF embedded font (sfnt) at offset 0x168D9 4568 bytes
font_04_sfnt_off00019c58.bin
53185adccf52e6ea7e80b32e2bd2baa155509d04ddf9f549ce9d13463666ae31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19C58 10372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.