Malicious PDF — malware analysis report

Static analysis result for SHA-256 58f74142a4406b63…

MALICIOUS

PDF

87.9 KB Created: 2021-04-28 21:10:14 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-06-04
MD5: edea5d24e548a2b9732fcc57e885eed1 SHA-1: a461942355cfc8e7dec5ff2fb10a9668e7b5c978 SHA-256: 58f74142a4406b633da8e3204c3c8f03ef1f0dd88f91700e232b75d96c720cd5
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous links, many of which point to compromised WordPress sites hosting PDF files. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to lure users to malicious content or exploit vulnerabilities. The presence of multiple distinct hosts and the use of formcraft/super-forms plugins suggest a coordinated effort to distribute malicious files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://evocative.ru/wp-content/plugins/formcraft/file-upload/server/content/files/160854eafdc212---tirakegizudisoniberaweno.pdf In PDF document text
    • https://jclifeschools.org/wp-content/plugins/super-forms/uploads/php/files/ce96322c9936fae0a623fc43ae920757/1904342607.pdfIn PDF document text
    • https://dentinale.eu/wp-content/plugins/super-forms/uploads/php/files/adc8ff2fadf55cfcd89ff0ed63b15de4/juburogajagotudijamaka.pdfIn PDF document text
    • https://www.karenlovelee.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607cfd4982d69---nobanodarukenijekosa.pdfIn PDF document text
    • https://kolodezrus.ru/wp-content/plugins/super-forms/uploads/php/files/2859fbd6e90f71a0d30bf967835da23e/26288748534.pdfIn PDF document text
    • https://www.peeryhotel.com/wp-content/plugins/super-forms/uploads/php/files/22a8abf1e380cf55867e6b90f580c5ac/mavubawora.pdfIn PDF document text
    • http://cedresarquitectura.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608140f8bee9e---lituwapalosanofonijurevib.pdfIn PDF document text
    • https://www.grandeprairie.org/wp-content/plugins/formcraft/file-upload/server/content/files/1606ca160d8029---27330408209.pdfIn PDF document text
    • https://ballestermultiservicios.com/wp-content/plugins/formcraft/file-upload/server/content/files/16088082595763---75211271765.pdfIn PDF document text
    • https://www.budgetskemaet.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16085990e79712---5223341757.pdfIn PDF document text
    • https://primeodontorj.com/wp-content/plugins/super-forms/uploads/php/files/e29d3905bc0530ffb61208df5faef7c9/44397054066.pdfIn PDF document text
    • https://centrobrands.com/wp-content/plugins/super-forms/uploads/php/files/cd880d4a8ad661d2dbfe11e973b24977/25406067004.pdfIn PDF document text
    • https://sweetestspaparty.com/wp-content/plugins/formcraft/file-upload/server/content/files/16085568c7c9fb---30838430941.pdfIn PDF document text
    • http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/160783ccf35882---kotoga.pdfIn PDF document text
    • http://xn--clinicaquirogavilario-vbc.com/wp-content/plugins/super-forms/uploads/php/files/ud6cvo04krggcpptl4mopran40/tivajofulivek.pdfIn PDF document text
    • http://mfplus.ba/wp-content/plugins/formcraft/file-upload/server/content/files/16073777e2f38b---pijitemotawuto.pdfIn PDF document text
    • https://vidolamerica.org/wp-content/plugins/super-forms/uploads/php/files/37db8c6e6de421f0920040fb012d388b/lumugamuwimexuzizugat.pdfIn PDF document text
    • http://allamericannursing.com/userfiles/file/95993733722.pdfIn PDF document text
    • https://useoneconvo.com/wp-content/plugins/super-forms/uploads/php/files/5fa32f15f3fbc9c9e12bac828122f6bb/85741056310.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/zMnd8XtcwSM/uplcv?utm_term=film+arbat+2017+sub+indoPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f2e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF2E2 3112 bytes
SHA-256: 0afa06da3aaadcc4a61064a4a1a66b322cac0d94072b22035a8fb908af9b819c
font_01_sfnt_off0000fe05.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE05 5472 bytes
SHA-256: acfbc24111f8e02bef2151b965cd39a0603465668bb5de7f1ee1b33d3300a48c
font_02_sfnt_off0001108a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1108A 13804 bytes
SHA-256: 62f8766ca03ff0e68d0a40f89d975ef83d7ad806bf9575734c7727292a25bec2
font_03_sfnt_off00013c86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13C86 16096 bytes
SHA-256: 61761e6c71fdd980502ce8a3a8cbf9590216241eb9eabe72fdf309a1c23cd3c2

Open this report in the interactive analyzer, or submit your own file for analysis.