Malicious PDF — malware analysis report

Static analysis result for SHA-256 4dc7d157e6978737…

MALICIOUS

PDF

82.7 KB Created: 2021-08-17 03:45:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: a1a154e9809748a1a3cf6c34561f161b SHA-1: a48e7db9fe756df4cca9262450424922eec7c99c SHA-256: 4dc7d157e697873749bf92169aaab978727987067dc31f3b16f98377e5159d3a
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and numerous external URIs pointing to compromised WordPress sites and other disposable hosting. These links likely serve as a link farm to redirect users to malicious content, potentially leading to further malware downloads. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9911

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://inwebjor.ru/uplcv?utm_term=anatomia+y+fisiologia+humana+tortora+pdf+gratis PDF link annotation
    • http://www.petersmetalstitching.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/1611217b71aa63---94075228234.pdfIn PDF document text
    • http://10glazsikeyrosa.ru/file/91210216728.pdfIn PDF document text
    • http://foto-preiss.at/upload_files/files/18532647223.pdfIn PDF document text
    • http://conservationenergy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160e5f138a021a---vomusalelekokosoteta.pdfIn PDF document text
    • http://skpizzasubs.com/uploads/files/72686652495.pdfIn PDF document text
    • https://www.limratechnologies.net/wp-content/plugins/formcraft/file-upload/server/content/files/160a4ba3dd6fd8---59611760242.pdfIn PDF document text
    • http://dulichgiahy.com/upload/file/80056003777.pdfIn PDF document text
    • https://champion-osk.pl/userfiles/file/butegopoxurega.pdfIn PDF document text
    • http://www.grupohk.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16079948c90441---delunelemutama.pdfIn PDF document text
    • https://www.accidentinjuryalbuquerque.com/wp-content/plugins/super-forms/uploads/php/files/bv57o70kbsivnhqa77o8f1crg2/pepazisulipuxarilino.pdfIn PDF document text
    • https://www.theoakshealthcare.com/my_content/js/ckfinder/userfiles/files/61233797896.pdfIn PDF document text
    • http://asalsold.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bbe27a2e8f9---mipikuwabitarakazitadibip.pdfIn PDF document text
    • https://www.sevgiliyevideo.net/wp-content/plugins/formcraft/file-upload/server/content/files/1609f1e5dac4d1---ledenexibokuviwimopupora.pdfIn PDF document text
    • https://bnbcostaverde.it/userfiles/file/13730016926.pdfIn PDF document text
    • https://www.mixedclass.com.au/wp-content/plugins/super-forms/uploads/php/files/gbm3vb24qcqodkdnkpbvo7l61n/nixelavasusilukoputosoma.pdfIn PDF document text
    • https://www.web2business.pt/wp-content/plugins/formcraft/file-upload/server/content/files/160c8993a3d4a1---powakusaxatamese.pdfIn PDF document text
    • http://pokebarslo.com/uploads/files/komalerira.pdfIn PDF document text
    • https://anyimaker.com/upload/users/files/gaxuvimonebosinebex.pdfIn PDF document text
    • http://meble-tk.pl/userfiles/file/busojem.pdfIn PDF document text
    • http://www.companyforte.com/imagenes/editor/file/65960078810.pdfIn PDF document text
    • https://ailani.org/wp-content/plugins/super-forms/uploads/php/files/05bffb3da24141f46ea24b299b479779/nogadepufogef.pdfIn PDF document text
    • http://www.emporiocaritaspisa.it/wordpress/wp-content/plugins/formcraft/file-upload/server/content/files/1607e837b98a04---rukulakodoxiwefun.pdfIn PDF document text
    • http://tasarimak.com/ckfinder/userfiles/files/mofelelijonikefunolunez.pdfIn PDF document text
    • https://2acontractor.it/images/file/41481644367.pdfIn PDF document text
    • http://otoozevran.com/resimler/files/14065229004.pdfIn PDF document text
    • http://www.shipsupply.co.mz/wp-content/plugins/formcraft/file-upload/server/content/files/160e83ac2841d9---damiropowamijutibopafapos.pdfIn PDF document text
    • http://arcdesantmarti.com/biocop/Images/images-editor/file/74809593937.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dd00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDD00 11008 bytes
SHA-256: 9cf81d6fd69c1f444283bef99acf0abbd23d671db3e30e64d89afd2a55b1aa0e
font_01_sfnt_off0000f633.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF633 17388 bytes
SHA-256: 826c0c64fd9d956ccd9c3d84472068593a7c3ac93e7b9a1dbe0a91b488bee78c
font_02_sfnt_off0001226f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1226F 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1