Malicious PDF — malware analysis report

Static analysis result for SHA-256 5443c65ada90dc17…

MALICIOUS

PDF

88.6 KB Created: 2021-09-01 01:16:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-24
MD5: 4e681372fbf5c6b5b2012b03c3c2b75c SHA-1: 2cc63e2fef1c65b1a5c517ea071d2a9f494bc7e0 SHA-256: 5443c65ada90dc17775d7e1488cee32417113846a8f0f109f5e63fde39424766
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics as a link farm, with many URLs pointing to compromised CMS upload storage. The ML classifier and ClamAV also identified it as malicious, specifically a phishing trojan. The document's structure and embedded URLs suggest it is designed to lure users to malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9957

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xlspandoek.nl/userfiles/file/posolenefoxalipobe.pdf In PDF document text
    • https://xn--80adj7cxa.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/56a07124647ee6eea2030db6e4df4095/1844269284.pdfIn PDF document text
    • http://holycrossyouthministryasp.org/clients/f/fa/fa15eac34f6f8ef5a8ada011ffef1578/File/3885276163.pdfIn PDF document text
    • https://eminenceconstruction.ca/viking1/uploads/files/bulomutuxux.pdfIn PDF document text
    • https://dispomydeal.com/wp-content/plugins/super-forms/uploads/php/files/b0fbce489a8828b68d603a76db1cc5c6/kidexanegiwajezujef.pdfIn PDF document text
    • http://ingpoggi.eu/userfiles/files/31846884042.pdfIn PDF document text
    • http://greer2001.com/clients/e/ea/ea56749d84c1a2d7db36d2c51c833a37/File/61861813107.pdfIn PDF document text
    • http://buyyoutubesubscribers.com/ci/userfiles/files/golavu.pdfIn PDF document text
    • https://siyata.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/160b9a34f094a7---5321317563.pdfIn PDF document text
    • https://altaamir.ipixpms.com/Rapport/public/assets/ckfinder/userfiles/files/13902516195.pdfIn PDF document text
    • https://empylean.com/wp-content/plugins/super-forms/uploads/php/files/893a24dul35memjnrc0h78v2au/44275859473.pdfIn PDF document text
    • https://humble-brag.com/wp-content/plugins/super-forms/uploads/php/files/cg08928j49st6gb6a417vf7h4o/fexerasisuf.pdfIn PDF document text
    • https://unitjaya.com/contents//files/mugipakobijexusiduz.pdfIn PDF document text
    • https://pikhospital.com/ck_uploads/uploads/files/74136357283.pdfIn PDF document text
    • https://gmonlinestore.com/wp-content/plugins/formcraft/file-upload/server/content/files/1611ac72563029---87511640121.pdfIn PDF document text
    • https://dentalrud.com/userfiles/file/49718067359.pdfIn PDF document text
    • http://kvbm.org/pds/userfiles/files/205915340.pdfIn PDF document text
    • https://tomorrowhubs.com/upload/users/files/fikedajijejela.pdfIn PDF document text
    • https://www.hediyevideo.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607968d8c5551---paxetapizutelizabezuj.pdfIn PDF document text
    • http://austria-ex.com/images/blog/file/82144245598.pdfIn PDF document text
    • https://www.pal-kont.hu/wp-content/plugins/super-forms/uploads/php/files/48a85052e73b8e0ab2881b339a25aede/kuwevevumatutarirupafuzu.pdfIn PDF document text
    • https://www.urban-quartz.co.uk/wp-content/plugins/super-forms/uploads/php/files/32c648cd768cbca8608035905c5af29a/95784413158.pdfIn PDF document text
    • http://malagi.pl/user-files/fck/file/meposunoreraxobofitag.pdfIn PDF document text
    • http://www.logistiekverbeteren.nl/ckfinder/userfiles/files/mugewasavibinatipiwobev.pdfIn PDF document text
    • http://iworking.vn/uploads/files/rofadixaf.pdfIn PDF document text
    • http://medicare-darmstadt.de/bilder/UserImages/file/lapedunudedek.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/ngfLrbzwjls/uplcv?utm_term=decaf+coffee+at+nightPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f737.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF737 18064 bytes
SHA-256: a6117d30644b8b529724d5cd54504087c93d89e3a4696c2e66aaf793cd59b473
font_01_sfnt_off00012523.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12523 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00013d3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13D3A 10300 bytes
SHA-256: 95450d250abe5f1ddbbd2af79553c80273c3ba49f5f2449c8d638bf29f6d526b