Malicious PDF — malware analysis report

Static analysis result for SHA-256 57fea1667df8a237…

MALICIOUS

PDF

88.4 KB Created: 2021-07-21 20:43:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-31
MD5: 4dc5663219f6c1b8cede993274cabb11 SHA-1: 2e6aaab35b176c1e8dff2910fa667dbbc7e3eb51 SHA-256: 57fea1667df8a23755e87ca9932164901dba187f09f52f34cfdb05b9fb172140
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, indicating a high likelihood of malicious intent. The document contains a link farm pointing to compromised WordPress uploads and disposable hosting, suggesting it's designed to distribute further malicious content or phish users. The presence of embedded URLs and the 'Fake invoice / payment lure' heuristic further support the attack pattern of using deceptive content to trick users into clicking malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kolaykanal.com/userfiles/files/dikor.pdf In PDF document text
    • http://china-miyaco.com/img/file/2021716234522.pdfIn PDF document text
    • https://www.femregenx.co.za/wp-content/plugins/super-forms/uploads/php/files/vmppfdrkbtrfj3d11ti5cf0ps4/69466320594.pdfIn PDF document text
    • http://www.k-24.com/wp-content/plugins/formcraft/file-upload/server/content/files/160befd9dd2314---4801158864.pdfIn PDF document text
    • http://allmedicus.com/userfiles/file/wowetakajenexujot.pdfIn PDF document text
    • http://www.maoles.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d7167d2fe18---godezaximuvosubu.pdfIn PDF document text
    • https://srp-galabau-rostock.de/wp-content/plugins/super-forms/uploads/php/files/rdis45i37avuid7cegbv11e42h/denavevosafazuxagekafo.pdfIn PDF document text
    • http://eros-arena.de/eros/userfiles/file/27042116179.pdfIn PDF document text
    • http://kraljicabih.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bf0fec1d5d2---88777312072.pdfIn PDF document text
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609f6b97d2e95---xinivejuludifelarimenonuf.pdfIn PDF document text
    • http://emotionpicturesfestival.gr/userfiles/file/86853097164.pdfIn PDF document text
    • http://www.theflightfest.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d671b24a74b---nuzafapelikoli.pdfIn PDF document text
    • https://tkpmission.org/wp-content/plugins/formcraft/file-upload/server/content/files/1609b80eaa7075---nesebijotemewekuginotagu.pdfIn PDF document text
    • http://qkmedica.com/uploads/userfiles/file/xuvepozegiguwigibalut.pdfIn PDF document text
    • https://www.sussexweddingservices.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1608318e530571---gidud.pdfIn PDF document text
    • http://mankatomnclassof71.com/clients/e/e0/e0e8961458839910853a12af65841b27/File/lejigeloki.pdfIn PDF document text
    • https://kodeac.com/wp-content/plugins/super-forms/uploads/php/files/nq46m6choibo51fvn1at6qbcpf/3767137026.pdfIn PDF document text
    • https://proff-doors.ru/wp-content/plugins/super-forms/uploads/php/files/9fd4ea53158185c50f60d20b3a33df26/17453124321.pdfIn PDF document text
    • https://srinivasagroup.com/ci/userfiles/files/65808519949.pdfIn PDF document text
    • https://www.hungryalex.com/wp-content/plugins/super-forms/uploads/php/files/18f09313d112b643af8ba9cf7893338d/nagox.pdfIn PDF document text
    • https://www.asahinadigital.com/wp-content/plugins/super-forms/uploads/php/files/pb7er3vmm0ergc3o9b1u7d2fi2/9930685042.pdfIn PDF document text
    • https://www.keystonecare.co.uk/wp-content/plugins/super-forms/uploads/php/files/bb642ce341eff19ece7ff5902de4f9c3/27439363066.pdfIn PDF document text
    • http://artstudiodesign.it/userfiles/files/38780933570.pdfIn PDF document text
    • http://ashioke.com/images/library/File/kosopusudixezebel.pdfIn PDF document text
    • http://orhs86reunion.com/clients/6/67/6744625166a0df26c7abb40948833271/File/vuzizir.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/1KS0DP0cxss/uplcv?utm_term=dc+tax+extension+formPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f56c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF56C 17416 bytes
SHA-256: 2eb908c9e66d06601b1a468e158bb050dfecc5a489e707d191dd05d760e49a48
font_01_sfnt_off00012343.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12343 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00013b5a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13B5A 10552 bytes
SHA-256: 48ac56a267d02780b8db1dd8e1431906eca98133775eaeb957b02094e75f113b