Malicious PDF — malware analysis report

Static analysis result for SHA-256 59ee1bd8ba6e1d18…

MALICIOUS

PDF

73.0 KB Created: 2021-06-11 23:47:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3b98bdfbd708cb2b5be02eec76d28d67 SHA-1: 87665274248d23c5e9c0fd51b85ad9982fca3945 SHA-256: 59ee1bd8ba6e1d18f3a6e4ae523616ce908f22a21b61cb2a6357b7e252734239
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.Trojan'. It contains numerous external links, many pointing to compromised WordPress upload directories, suggesting a phishing or malware distribution scheme. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=communication+and+sport+surveying+the+field+pdf
    • http://baharemadinah.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083212b642d5---94493166814.pdf
    • https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/1606ccba2c09e3---31359016199.pdf
    • http://strahovka66.ru/userfiles/file/govosojisawotuwilup.pdf
    • https://www.charityweiss.de/wp-content/plugins/formcraft/file-upload/server/content/files/1607920b780b52---sagojigiruxisita.pdf
    • https://championsforchildren.org/wp-content/plugins/super-forms/uploads/php/files/22626b816745e0a2196403531f74fc69/zixezojawitip.pdf
    • http://modelkyujin.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a194011869a---88842638893.pdf
    • https://drivetripper.com/userfiles2020/files/55205041265.pdf
    • https://atolab.it/wp-content/plugins/super-forms/uploads/php/files/21e5ac66e1a46f0e18fb16c052bdaee1/58242825964.pdf
    • http://balogmihaly.hu/UserFiles/file/texupezilufikizede.pdf
    • https://www.mercato.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/16080b5fdae4fb---muxosujidusutezikimorome.pdf
    • http://frederickfollows.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607366efa0b83---noxom.pdf
    • https://vakukh.ru/wp-content/plugins/super-forms/uploads/php/files/29b5a6476dba88085af5a7f207c0fc3f/vonilikidavikiwigazovef.pdf
    • http://www.cuerpomenteyespiritu.es/wp-content/plugins/formcraft/file-upload/server/content/files/160b4b44880a15---totig.pdf
    • http://herodumpsterrental.com/wp-content/plugins/super-forms/uploads/php/files/f8e2f02c25d1b74fbaf30864b21584f7/lalifor.pdf
    • https://simovi.mx/wp-content/plugins/formcraft/file-upload/server/content/files/16078d0b5a7ef8---busoluwosewapotubamux.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e015.bin
4d44adf44eda533389b888070f7347f4834be06962a697d967750eb070b34a60		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE015 5636 bytes
font_01_sfnt_off0000f322.bin
7a5b700cc43f0acb3cc0b4c661b130f4805b720674f0576e8298237d9e92c244		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF322 10588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.