Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c32601bab248af3…

MALICIOUS

PDF

74.6 KB Created: 2021-09-06 11:28:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-05
MD5: c3e6d76bcdf524eebde9c3a23a147994 SHA-1: 144504f058262616467b5e47789825021fe0bdf9 SHA-256: 4c32601bab248af3a5be7e6163db0bf43f55615d1e9a5cebe635c25f130a349a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript, a common technique for executing malicious code within PDFs. It also features a link farm pointing to compromised WordPress upload directories, which host further PDF files. This suggests a multi-stage attack, likely aiming to deliver a phishing page or malware through these linked documents.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9827

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.justgiveahand.org/wp-content/plugins/formcraft/file-upload/server/content/files/1607ca1a687497---kojiboratiduvekoguwulaku.pdf In PDF document text
    • http://www.morenoroofing.com/wp-content/plugins/formcraft/file-upload/server/content/files/160885a060b28d---45768228349.pdfIn PDF document text
    • https://www.endthestigmacounselling.com/wp-content/plugins/super-forms/uploads/php/files/h80u7cq31ua7pco4f2c0595ji8/52317851701.pdfIn PDF document text
    • https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/160817bef63781---51684304326.pdfIn PDF document text
    • https://almoheetmanpower.com/public_html/userfiles/file/jajofupopojujokidani.pdfIn PDF document text
    • http://zjhywt.com/images/upload/File/bejigozug.pdfIn PDF document text
    • http://markasib.ru/ckfinder/userfiles/files/duwuw.pdfIn PDF document text
    • http://falegnameriacastiglione.it/userfiles/files/wotatapevuxi.pdfIn PDF document text
    • http://www.sm.ac.th/ckfinder/userfiles/files/guwawosezimelefujofepi.pdfIn PDF document text
    • http://qunjl.com/userfiles/files/60629307325.pdfIn PDF document text
    • https://chachachat.info/js/ckfinder/userfiles/files/62976437988.pdfIn PDF document text
    • https://anctools.com/ckfinder/userfiles/files/nudazajipogojiren.pdfIn PDF document text
    • http://ctyrkolky-gamax.cz/data/dokumenty/lemubazojowovonumeriwuwar.pdfIn PDF document text
    • https://monyetmesum.com/contents//files/gagiz.pdfIn PDF document text
    • http://master-sign.ru/ckfinder/userfiles/files/75329563478.pdfIn PDF document text
    • http://ciccioinpentola.com/userfiles/files/19689142614.pdfIn PDF document text
    • http://jeugdopdewetenschapsagenda.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160896806869e7---lisaluzew.pdfIn PDF document text
    • https://dongytueduc.com/wp-content/plugins/super-forms/uploads/php/files/8ar8h1dqg3ap2c4nm15h2saik9/97292038009.pdfIn PDF document text
    • http://totaleclipsenv.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c18ae0509a8---gefemegazugabatejida.pdfIn PDF document text
    • http://booklandbooks.com/userfiles/file/31420422918.pdfIn PDF document text
    • http://nowyhotelik.pl/userfiles/file/logojasip.pdfIn PDF document text
    • http://4bx.pl/public/file/xawiwowivawexipeki.pdfIn PDF document text
    • http://fipjp.com/userfiles/file/tepixufupojoguwer.pdfIn PDF document text
    • http://pileshoppen.dk/userfiles/file/ramilovimi.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/4e03ccf9b0f884c4b4430f306b6afb4b/gotewixesorogewulu.pdfIn PDF document text
    • https://smallislandcurry.com/wp-content/plugins/super-forms/uploads/php/files/cddfa378f5217c18cd3f7eafd751877f/86382357690.pdfIn PDF document text
    • https://salonrewards.ca/images/file/loramoderugemibiz.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/ngfLrbzwjls/uplcv?utm_term=frigidaire+affinity+washer+installation+manualPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bfdf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBFDF 11080 bytes
SHA-256: 40596b6da40a7681cf0fcc5274da57d1018f5e76d1d83ceb87518e12eeff17e4
font_01_sfnt_off0000d94f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD94F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0000f161.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF161 16844 bytes
SHA-256: 89a991b1e96ece016b5eaa03505a3e25442b0bb2c883a8f9aed06c757d94e0b9