Malicious PDF — malware analysis report

Static analysis result for SHA-256 556a59a26d6417a5…

MALICIOUS

PDF

101.0 KB Created: 2021-09-05 02:15:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-23
MD5: 3881fdc4fa3739773f4eff589b60e538 SHA-1: 3290a78265d77236f968c92d1e9a876d9886c095 SHA-256: 556a59a26d6417a538834017311d7b3050c5cf7965b302ca4baea9abc7470357
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, containing numerous URLs pointing to compromised WordPress upload directories and other disposable hosting. These links likely lead to phishing pages or further malware downloads, consistent with a spearphishing attachment attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9935

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://smidgel.ru/uplcv?utm_term=makalah+ijtihad+lengkap+pdf PDF link annotation
    • https://mymango.ru/wp-content/plugins/super-forms/uploads/php/files/834f9fb0e95fab2060a8d5023b05ebdf/24214198738.pdfIn PDF document text
    • https://www.couleurs-et-jardin.fr/wp-content/plugins/formcraft/file-upload/server/content/files/160832f57bed4d---239526618.pdfIn PDF document text
    • https://salubrismd.com/wp-content/plugins/super-forms/uploads/php/files/019b22432853f9f940a5d30f3577b741/38976270859.pdfIn PDF document text
    • https://101doctor.com/uploads/ckfiles/files/60cc84689fe6c.pdfIn PDF document text
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/6e39fd120cd51cedc27c2d5174592248/29212306815.pdfIn PDF document text
    • https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160ede96d23583---vapexinokezijalipe.pdfIn PDF document text
    • http://blevy.com/ckfinder/userfiles/files/ripovavugigi.pdfIn PDF document text
    • https://www.okcfarmersmarket.com/wp-content/plugins/super-forms/uploads/php/files/f148b9b5695a61c8bace816266f4732c/vuwudogozuvasa.pdfIn PDF document text
    • http://tele-video.ru/upload/files/kuvuxis.pdfIn PDF document text
    • http://hanlacsclub.com/ckupload/files/fetezugerejog.pdfIn PDF document text
    • https://gamletaarnhuset.no/wp-content/plugins/formcraft/file-upload/server/content/files/160bb540ce799d---rivuwatum.pdfIn PDF document text
    • http://generale-bureautique.fr/gdb/files/file/mozulomonafovoxifud.pdfIn PDF document text
    • https://vico-real-estate.com/ckfinder/userfiles/files/73154603970.pdfIn PDF document text
    • https://veritiesinstitute.com/wp-content/plugins/super-forms/uploads/php/files/732357eb66a24d0f670d2c9a3b02c5d9/suwix.pdfIn PDF document text
    • https://realestateconnect.us/wp-content/plugins/super-forms/uploads/php/files/gt8ob0eefgkd0fb76msps8uft0/vupamunutovuwejub.pdfIn PDF document text
    • https://sistemagestiondpr.co/userfiles/file/90988722926.pdfIn PDF document text
    • https://nceptionsolutions.com/wp-content/plugins/super-forms/uploads/php/files/2508b9f4239dda8b809888931f378282/baloxe.pdfIn PDF document text
    • https://ceadersvalet.com/wp-content/plugins/formcraft/file-upload/server/content/files/16071d0a451e18---soxupolagijiremuxepota.pdfIn PDF document text
    • http://aclamerica.com/customers/CMS-IMAGES/file/83122526944.pdfIn PDF document text
    • https://valleyrestoration.net/home/apf/public_html/ckfinder/userfiles/files/xunimikoxivavusemufobexap.pdfIn PDF document text
    • https://gdr.co.il/wp-content/plugins/super-forms/uploads/php/files/45cb7687ea6924a6e5bad71ca8bdc75a/bimigibutevosolatokusepit.pdfIn PDF document text
    • http://sieckultury.pl/wp-content/plugins/super-forms/uploads/php/files/cc61c2ad23c43d34515829893a6bae6a/kuwese.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000100df.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x100DF 24060 bytes
SHA-256: 2cf0420b5a60c462432e2236fd2936308d3fb43a337b647188f2758852843c46
font_01_sfnt_off00012b12.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12B12 10604 bytes
SHA-256: 28b8e89d291bc39bddc3b06050694afb7a99141bf396a9888615a792c85b8aa0
font_02_sfnt_off000142f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x142F1 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_03_sfnt_off00015b03.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15B03 16488 bytes
SHA-256: 11217eff991560a578e3be4a663c3f22d4d3b314cd76adc8f22144f37c36a6df