Malicious PDF — malware analysis report

Static analysis result for SHA-256 550619f8da1bd8b6…

MALICIOUS

PDF

86.9 KB Created: 2021-06-29 16:19:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-25
MD5: 1c804deabf7feafab67dc2158633af3b SHA-1: a3501a3e2952a8fa103f8f0ace76ce9c2f35fbf5 SHA-256: 550619f8da1bd8b6441a4bad228d829ba5ef13336b5f26966ba7223f6b27d503
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains a link farm pointing to multiple domains, some of which are identified as compromised CMS uploads or hosted on disposable domains, suggesting an attempt to distribute malicious content. The presence of a visual download button further supports a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qboardapp.com/wp-content/plugins/super-forms/uploads/php/files/87f47cdd14c6dae9dcf673a4306ca76b/xutosuz.pdf In PDF document text
    • http://charivne.info/images/file/77948001434.pdfIn PDF document text
    • https://diversifiedhumansolutions.com/wp-content/plugins/super-forms/uploads/php/files/d9a8a2b7ff5978669ca3b9974e7cbb2a/15123848849.pdfIn PDF document text
    • https://www.scanworld.se/wp-content/plugins/formcraft/file-upload/server/content/files/160788631703a6---xigerupubiv.pdfIn PDF document text
    • https://www.skyline-recruiting.com/wp-content/plugins/super-forms/uploads/php/files/dab3158f7fd9a7a811aa2fc237070293/novew.pdfIn PDF document text
    • http://astro2sphere.com/admin/images/file/zagovo.pdfIn PDF document text
    • https://controlcert.se/wp-content/plugins/formcraft/file-upload/server/content/files/1608197a6bfbcc---mesup.pdfIn PDF document text
    • http://protech.com.ng/wp-content/plugins/formcraft/file-upload/server/content/files/16091c3268c532---mupugar.pdfIn PDF document text
    • https://suma.ca/upload/editor/file/duxuju.pdfIn PDF document text
    • https://myhoorayhealth.com/wp-content/plugins/super-forms/uploads/php/files/01579ctqpnianoonntdnqhmhu7/37099152353.pdfIn PDF document text
    • http://gavinlawoffice.com/customer/3/d/9/3d947ad6ce2568d98b832ccf5548371bFile/94870394027.pdfIn PDF document text
    • https://championsforchildren.org/wp-content/plugins/super-forms/uploads/php/files/6a5cf5d26583bad23e0daad1fe22f2f5/suxibimejo.pdfIn PDF document text
    • https://www.heainc.com/wp-content/plugins/formcraft/file-upload/server/content/files/16079382cc9e95---pokaxifememisifudemimo.pdfIn PDF document text
    • http://www.goataxiservice.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608069a2dd5ab---nuzadizudijoviwuvumetaj.pdfIn PDF document text
    • https://stallion-international.com/userfiles/file/31780678232.pdfIn PDF document text
    • https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/160b8f22372e2d---94461656853.pdfIn PDF document text
    • https://phase1acoustics.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608af614ec52a---gusemekekixufubon.pdfIn PDF document text
    • https://www.digitalsofts.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d083f29ddd1---mejuvuwovegalevivizo.pdfIn PDF document text
    • https://signika.pl/Upload/file/94454349103.pdfIn PDF document text
    • http://iamsoldierfit.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081cd5660bf0---kosofubefamulijijekilegi.pdfIn PDF document text
    • https://www.tai.gr/wp-content/plugins/formcraft/file-upload/server/content/files/1609796bb15370---29111421227.pdfIn PDF document text
    • https://www.elektrobetrieb-scholz.de/wp-content/plugins/formcraft/file-upload/server/content/files/16088f96e430ce---nupeneked.pdfIn PDF document text
    • https://cremeconferences.com/wp-content/plugins/super-forms/uploads/php/files/d7848e11ce397a4d113fc8aba6fa5fe7/77046613559.pdfIn PDF document text
    • http://argra.rs/wp-content/plugins/formcraft/file-upload/server/content/files/1608aa07ee9cbc---31252555956.pdfIn PDF document text
    • http://elitaliaweb.it/upload/file/89357194003.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=tuckman%27s+stages+of+group+interactionPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f16d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF16D 10964 bytes
SHA-256: bef6b25d7f2056c59ff1d61195645f63219a12a26f4372585db3770ee85f79cd
font_01_sfnt_off00010b00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10B00 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00012312.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12312 16544 bytes
SHA-256: 3637064f2d518c4573b616339c4151e206e88c720916dce8395caf12c6becdda