Malicious PDF — malware analysis report

Static analysis result for SHA-256 58477301808d6858…

MALICIOUS

PDF

81.1 KB Created: 2021-06-25 19:41:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 21f9e8d5c99fcb4b80c99f7d96e92bdd SHA-1: 51c73ff5951ca5e12c5a88dea9fb2e9e90e31c5f SHA-256: 58477301808d68580821e98289d9ca6bdb35c84a6d3c73943acbdfc4d49f8577
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It functions as a link farm, presenting numerous URLs that likely lead to phishing sites or further malware downloads. The presence of external URI heuristics and link farm indicators strongly suggests a malicious workflow designed to lure users to compromised or disposable hosting sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9933

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://infrive.ru/uplcv?utm_term=please+be+guided+accordingly+in+tagalog
    • http://www.x454.com/wp-content/plugins/super-forms/uploads/php/files/3aennkag52hnk4m4iu2bbu1pn1/57026741421.pdf
    • https://alsterparkett.de/wp-content/plugins/super-forms/uploads/php/files/2r98o50ltit5dt9869pevsolgl/42943678128.pdf
    • https://kassa-evotor.ru/wp-content/plugins/super-forms/uploads/php/files/pc0eojl88gbm1hp015j3kajftc/54002449748.pdf
    • http://billsky.ee/files/file/24600101180.pdf
    • https://dogathermalhotel.com/resimler/files/65562385721.pdf
    • https://webtraffic.ch/wp-content/plugins/super-forms/uploads/php/files/f3r3d9t2o8b1ktp1i0r9utaitb/tilafobazavelixuruvupaz.pdf
    • http://lotusromeo.fr/app/webroot/files/userfiles/files/mezaburujizowavosu.pdf
    • https://web-sila.ru/wp-content/plugins/super-forms/uploads/php/files/81f2bf29475a7aefea7754b8fbd1e694/69334125558.pdf
    • https://monacollection.ua/wp-content/plugins/super-forms/uploads/php/files/73de304eb845b55823704bf903bfdbbb/dutoxudamomame.pdf
    • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/11ea52bccf4b68ebfac4b9e747605b05/daporijikiwivurumoga.pdf
    • http://uniondeautoescuelas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b4c8fae9522---lodokuxe.pdf
    • http://www.majorisinvestimentos.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16087ff6952d03---26154399230.pdf
    • http://intechsol.kz/wp-content/plugins/formcraft/file-upload/server/content/files/16076a6e18d32c---88261953597.pdf
    • https://wilsonbarrera.com/inicio/wp-content/plugins/formcraft/file-upload/server/content/files/16072bf10682ed---rabozas.pdf
    • https://sevsport.info/wp-content/plugins/super-forms/uploads/php/files/cb30240adf33b64c903325f93ac2b3a9/sumakatuweviwine.pdf
    • https://asi-filter.pl/files/file/92369166817.pdf
    • http://recviem.ru/img/upload/4705771438.pdf
    • https://evenimentecastel.ro/wp-content/plugins/super-forms/uploads/php/files/klmmj8e9r6nbj0prr0a31q69dc/37231318156.pdf
    • http://artgraf24.pl/userfiles/file/12219376232.pdf
    • http://bochosushi.com/wp-content/plugins/formcraft/file-upload/server/content/files/160783e4904cdc---60080518720.pdf
    • http://www.alwaysflorida.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e1c54735e1---20124428404.pdf
    • https://www.peeryhotel.com/wp-content/plugins/super-forms/uploads/php/files/ecd7311d33f6566ae7fd9c948950ad75/ludebafapitagawusuw.pdf
    • http://ozari-ua.com/files/file/mawaberevasupixelew.pdf
    • http://www.empresasdelimpeza.info/wp-content/plugins/formcraft/file-upload/server/content/files/160a8cd56a041c---mokemefolox.pdf
    • http://arch-teh.com/pic/userfile/bazalifazeruxig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c6b9.bin
25573a17cb9446a958030dc77b50f8fbc3992ca574d40ce938170b84687f210a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC6B9 10900 bytes
font_01_sfnt_off0000dfe8.bin
2e9a266594cdf53408dd407a8893589822b99521410348877d2354492f301fdb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDFE8 15828 bytes
font_02_sfnt_off00010899.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10899 16792 bytes
font_03_sfnt_off000120aa.bin
bfc7ce51a1a9b37382af61f0075eb0cdb972126da031002d338643432d80e6e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x120AA 16252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.