Malicious PDF — malware analysis report

Static analysis result for SHA-256 50604ea7e0c9ecc6…

MALICIOUS

PDF

88.3 KB Created: 2021-07-17 17:06:22 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-13
MD5: 3c6fa119aa6724ed392cf39e6c41f489 SHA-1: 65824d54046ebf73a11a229da79d216713639bd4 SHA-256: 50604ea7e0c9ecc6d20bf0a1d36ba28ec0cd8bb9af673afe9ca1840e279fafb5
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and multiple links pointing to compromised WordPress sites, suggesting it's designed to host and distribute malicious files. The presence of a 'download' button lure further supports this, indicating a phishing or malware delivery attempt. The ClamAV detection as 'Pdf.Phishing.Trojan' reinforces the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9835

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://heilpraxis-pankow.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c8ec8a39aa5---ronarikeluga.pdf In PDF document text
    • http://www.stallionreadymix.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160d4af1e9eb73---45514795738.pdfIn PDF document text
    • https://rrr71.ru/upload_picture/nerunogojijopotezilazupar.pdfIn PDF document text
    • https://daismene.it/file/96554771147.pdfIn PDF document text
    • https://nasikampung.info/contents//files/95830243258.pdfIn PDF document text
    • http://pulsarvn.com/media/ftp/file/kiteraga.pdfIn PDF document text
    • https://christembassybarking.org/wp-content/plugins/super-forms/uploads/php/files/17b15264c4bd8e77cb2f0c65d3355546/kezuribugezotafutasabo.pdfIn PDF document text
    • http://tsg-vaganovskoe.ru/ckfinder/userfiles/files/68528983695.pdfIn PDF document text
    • https://baodinhsolar.com/wp-content/plugins/super-forms/uploads/php/files/89ig94nhlmc1dvu3a9pnf396of/riket.pdfIn PDF document text
    • http://www.melodypods.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b36f863586a---50654886993.pdfIn PDF document text
    • http://abapaposentados.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b12f658d7f2---fuvezovosuso.pdfIn PDF document text
    • http://headlinesdinerla.com/uploads/files/pogezomigujebevewuxi.pdfIn PDF document text
    • https://fitnessrev.net/wp-content/plugins/super-forms/uploads/php/files/edodgtkshhn75onv5chi2jv15u/vilasepekigenewufekig.pdfIn PDF document text
    • http://barbusci.it/maisUserFile/file/1041203867.pdfIn PDF document text
    • https://mariapolis.net/ckfinder/userfiles/files/53813227930.pdfIn PDF document text
    • https://ukmalayalamnews.com/userfiles/file/9390457560.pdfIn PDF document text
    • https://journeypeople.cc/wp-content/plugins/super-forms/uploads/php/files/3c9c0cf38d5c6009bbe05fac1fe04e5e/69148996041.pdfIn PDF document text
    • https://drmiamiconnect.com/wp-content/plugins/super-forms/uploads/php/files/029bc0e20c351c42d328b99ee1849d7b/39632664155.pdfIn PDF document text
    • http://www.recetasyconsejos.com/wp-content/plugins/formcraft/file-upload/server/content/files/160961e1d1d6ee---povivawadikotawa.pdfIn PDF document text
    • https://www.idahomedia.com/wp-content/plugins/super-forms/uploads/php/files/91b6a126b5c5b7027c5dfdee990aa84e/51816535469.pdfIn PDF document text
    • http://test.uebersetzungen-nesselberger.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a050ec0a645---gobugefiduret.pdfIn PDF document text
    • https://study-go.info/wp-content/plugins/super-forms/uploads/php/files/f2632f8bb4b2084535c2c6016949ca9a/70515874356.pdfIn PDF document text
    • http://konferencii.org/js/ckfinder/userfiles/files/fofunubabaropamep.pdfIn PDF document text
    • http://jinshi66.com/uploadfiles/files/warozitewabiporesogif.pdfIn PDF document text
    • https://harpethvalleyhealth.com/wp-content/plugins/super-forms/uploads/php/files/04128aa50306402ae8a98b228942d9af/zebajobiruletefenopi.pdfIn PDF document text
    • http://tilestone-pools.com/i/File/27184434288.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/S30rS-6n6vg/uplcv?utm_term=procreate+free+download+iphonePDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f39d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF39D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off00010baf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10BAF 17604 bytes
SHA-256: 0e932526e0b9fbb094af8c93e746f3998a99e606d75a1f5a63afef0f0a5f27b9
font_02_sfnt_off000139c3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x139C3 10636 bytes
SHA-256: 0fda030281deca436c818a83a4ee9208fa21cf44993d825184e098b98fdc73d1