Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fcd5c86d6ab318a…

MALICIOUS

PDF

141.7 KB Created: 2021-09-07 07:15:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-07
MD5: 2a4a92654a97e0e5c343a38e0721d39b SHA-1: ce5159993a1838bcd2bf9ded153c7671caef3262 SHA-256: 4fcd5c86d6ab318a5cac02dc0a8fe346e0efb7f21b993ed43bfe2765abdfc173
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple links to external domains, many of which appear to be compromised CMS uploads or disposable hosting, suggesting a phishing or scam campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of embedded URLs and the 'SE_CALLBACK_LURE' heuristic point towards a callback phishing or tech-support scam pattern, likely designed to trick users into visiting malicious sites or contacting fraudulent support numbers.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9913

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://studiomanzella.com/userfiles/files/bopemeja.pdf In PDF document text
    • http://yearbookplus.com/uploads/ckfinder/files/24448368207.pdfIn PDF document text
    • http://superfishinglewood.com/uploads/files/99413614865.pdfIn PDF document text
    • https://cissud.it/uploads/ck_editor/files/sapatesetitejitepedawobas.pdfIn PDF document text
    • https://humantouchtranslations.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/16114e522a0f8e---61271190623.pdfIn PDF document text
    • https://deewo.de/wp-content/plugins/formcraft/file-upload/server/content/files/1606d478dc029a---sowomediponusadizofuwevu.pdfIn PDF document text
    • http://windcampus.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c9cdd0712ca---gikebajajewimaneko.pdfIn PDF document text
    • http://tivatijapan.com/uploads/userfiles/file/zepitataretevologotupu.pdfIn PDF document text
    • https://mariapolis.net/ckfinder/userfiles/files/51832828330.pdfIn PDF document text
    • http://global-poseg.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b28d3c27a1b---jijaramiribetowokotemura.pdfIn PDF document text
    • https://prosegik.com/wp-content/plugins/super-forms/uploads/php/files/5337581c374062d80ec43b4a28cf387e/80985353121.pdfIn PDF document text
    • http://www.jimenez-casquet.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c6aab81f305---kasojewametabalaz.pdfIn PDF document text
    • http://schouteninterieurwerk.nl/wp-content/plugins/formcraft/file-upload/server/content/files/160c511bc8cdf7---35523467698.pdfIn PDF document text
    • http://artistalexanderkanevskywinnerinternationalaward.com/clientMedia/file/89506411536.pdfIn PDF document text
    • https://www.sacda.org/wp-content/plugins/super-forms/uploads/php/files/1l2fn6jvi5bhcaa0laiv4sda03/wuliwefe.pdfIn PDF document text
    • https://thaiahpa.com/flash/files/31045918546.pdfIn PDF document text
    • https://hoffmanowska.pl/wp-content/plugins/formcraft/file-upload/server/content/files/160cc01e841fb0---ketapenog.pdfIn PDF document text
    • https://silga.ca/userfiles/file/dojev.pdfIn PDF document text
    • https://www.wikiwebagency.it/wp-content/plugins/super-forms/uploads/php/files/b8ba1487a8ac714434d754c191127358/nazewunozazomis.pdfIn PDF document text
    • https://kicksomeglass.com/wp-content/plugins/super-forms/uploads/php/files/888624fde69a87df3a808dfd21b7e71b/senuzojadewapapala.pdfIn PDF document text
    • http://monticellotownship.org/userfiles/file/18946134610.pdfIn PDF document text
    • https://bunianco.com/other_files/File/26305466486.pdfIn PDF document text
    • http://samromschool.com/UserFiles/file/gosoka.pdfIn PDF document text
    • http://ac-kenigsberg.ru/files/file/60790094835.pdfIn PDF document text
    • http://mouaumfb.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607061eac298c---72427214337.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/fzgW7-mxBc0/uplcv?utm_term=studies+in+pessimism+schopenhauer+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001c1b5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C1B5 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001d9cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1D9CC 11016 bytes
SHA-256: 0e1d66e6c59766fff13c327186567bf0112a85ba1630bd00f605c0f982b752b0
font_02_sfnt_off0001f32a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F32A 20572 bytes
SHA-256: 7acedd0beb41f38c0b5778c5cd93cbd81f6ff8d511d4fe3eed5bbf5f04a33206