Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b850b703fea1cf0…

MALICIOUS

PDF

91.5 KB Created: 2021-09-09 07:03:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 08e125e6552b64faa1049abea8fa82d1 SHA-1: e7f191849526438ad02502f0228d60fc730a191e SHA-256: 4b850b703fea1cf0c25f90089f8139dcf170fe759257d5a3223ed0598df04bc2
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a link farm with numerous URLs pointing to potentially compromised websites or disposable hosting, indicating a phishing or malware distribution attempt. The ML classifier and ClamAV detection strongly suggest malicious intent. The presence of multiple PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports this, as these rules identify patterns associated with malicious link farms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9935

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vet-arrighicolangelicristilli.eu/userfiles/files/15615571796.pdf
    • https://www.aifimm.it/admin/inc/ckfinder/userfiles/files/97407291996.pdf
    • http://tobn56.com/UpFiles/file/jovedi.pdf
    • http://123dvere.sk/files/file/18269242242.pdf
    • https://karapinler.com/calisma2/files/uploads/54040097142.pdf
    • https://phoenixknights.co.uk/wp-content/plugins/super-forms/uploads/php/files/7ace286a3cd3dd0b63c2e544e1ddffe1/wuzorenesirurubi.pdf
    • http://ticaproduce.com/ckfinder/userfiles/files/95351858399.pdf
    • http://exhibitionchannel.com/upload/julex.pdf
    • https://mosoptagro.ru/wp-content/plugins/super-forms/uploads/php/files/aac3720c531709d04a630e4cc5ce05a4/zigugipukejofalasixegagim.pdf
    • https://digireg.ch/upload/85400903409.pdf
    • http://uitetenindex.nl/images/uploads/moxirif.pdf
    • http://stacjaregeneracja.pl/userfiles/file/dageromavo.pdf
    • http://chatyzvule.cz/uploads/37353113967.pdf
    • http://kirsanov-maslo.ru/uploads/28558336219.pdf
    • https://vetamblj.si/ckfinder/userfiles/files/danizoxekerot.pdf
    • http://extintoresorigen.com/images/editor/86393718895.pdf
    • http://maxidmum.com/images/upload/fck/file/98737985341.pdf
    • http://fw-simple.com/uploads/files/40676445440.pdf
    • https://ccveg.org/wp-content/plugins/super-forms/uploads/php/files/pp987rdp84bmcmqkpo73d9taji/nolepib.pdf
    • https://infrastone.com/userfiles/files/18705390994.pdf
    • http://articolo17.it/siti/usr/foto/files/jujakakupukegedaned.pdf
    • https://cosonnguyenthanh.vn/webroot/userfiles/files/8045991186.pdf
    • https://jagamimpi.com/contents/files/30214387483.pdf
    • http://sibleyestateplanning.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/fuxomigujakitome.pdf
    • https://feedproxy.google.com/~r/Uplcv/~3/6naE_Nh8_CY/uplcv?utm_term=you+again+full+movie
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010345.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10345 16792 bytes
font_01_sfnt_off00011b5c.bin
734e5fe1c292b1b7e6cec57c4c2a08e43b2b6e3c68c03a428469d834593e303f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B5C 10340 bytes
font_02_sfnt_off000132ab.bin
cc42fbec5ed4aa8d620da3f30b485c72ab7810ca2702ccafa91d014fd380b0a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132AB 17800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.