Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b2230e55ba84f80…

MALICIOUS

PDF

516.1 KB Created: 2021-06-27 02:07:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-14
MD5: ae4f8ab4a8625c233ed695a96542c6ef SHA-1: aaffababc740cf4086da1219d5de959bc15e2ae1 SHA-256: 5b2230e55ba84f8046ebc6fd9a38eb73296d225a3a80a57b92a4cabd53ec5d54
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains a link farm pointing to multiple compromised WordPress upload directories, suggesting an attempt to distribute further malicious content. The presence of these links indicates a phishing or social engineering attack vector, likely aiming to trick users into downloading additional malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7532

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://actionelectric.pt/www/wp-content/plugins/formcraft/file-upload/server/content/files/160b60e32116a1---faxonikiruraxagiruve.pdf In PDF document text
    • http://www.julitolaschools.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c531be8b7fd---kifevotibeparakevafeke.pdfIn PDF document text
    • https://goldenparadisestsimons.com/wp-content/plugins/super-forms/uploads/php/files/f0dce0ad6c423a741fef47e98f29fc1b/67343768004.pdfIn PDF document text
    • http://candybeauty.vn/upload/files/susovupatekedejix.pdfIn PDF document text
    • http://cageart.ca/wp-content/plugins/formcraft/file-upload/server/content/files/16090d1dd85cdf---81093824088.pdfIn PDF document text
    • http://dataction.org/demo/dataction/media/45244736986.pdfIn PDF document text
    • https://www.ibyservice.com/wp-content/plugins/super-forms/uploads/php/files/d1e47ae056ca7ba1ccb23039db25cae0/5499764798.pdfIn PDF document text
    • http://call.ae/wp-content/plugins/formcraft/file-upload/server/content/files/1609ebebb547d2---18911571517.pdfIn PDF document text
    • http://domeinbeverdonk.be/assets/files/file/28311666930.pdfIn PDF document text
    • http://huntland.hu/upload/file/64142916320.pdfIn PDF document text
    • https://psychotherapie-dr-albrecht.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a25ba869fa7---82882940665.pdfIn PDF document text
    • http://coffee33.ru/archive/file/89789691769.pdfIn PDF document text
    • http://www.realisthotel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607b187c060dd---53882930664.pdfIn PDF document text
    • http://tks-forever.com/upload/2021/06/24/file/kunabodotot.pdfIn PDF document text
    • http://wbbray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a7971a2769a---fubosotugul.pdfIn PDF document text
    • https://lasvegasrebath.com/wp-content/plugins/super-forms/uploads/php/files/00aa298e3a6a063873399fc3418ee628/favutofexi.pdfIn PDF document text
    • https://tonwen.org/userfiles/file/fimebafejigadujovonefow.pdfIn PDF document text
    • https://provisionsinternational.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7d23ea9816---bidojirusi.pdfIn PDF document text
    • https://skazkavdom.com/wp-content/plugins/super-forms/uploads/php/files/06d796ac60931ad53dc8338a5bee308e/60282329914.pdfIn PDF document text
    • http://bubblesoflove.net/wp-content/plugins/formcraft/file-upload/server/content/files/16084a18279806---3343474904.pdfIn PDF document text
    • https://www.entornopublicitario.com/wp-content/plugins/super-forms/uploads/php/files/61a3082742dec3586a1f36d6366a9d8a/96367152366.pdfIn PDF document text
    • http://pc75.net/upfiles/file/1622414549.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/fzgW7-mxBc0/uplcv?utm_term=linear+algebra+and+its+applications+third+edition+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00078a2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x78A2C 10996 bytes
SHA-256: d41b8e3bc9abc3f142090a51bfd100258c2c9a3924412d1ae1792eccdceb3211
font_01_sfnt_off0007a329.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7A329 1876 bytes
SHA-256: 2e3283d3891602e0ca6f018a0940daf6a849e52de835049f1e17f08ab1807f0d
font_02_sfnt_off0007abac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7ABAC 22112 bytes
SHA-256: 1ec674e5685af8726d8caff7948bd3b4ef43fcbfb8ef4caf39a254ec3450b192
font_03_sfnt_off0007e800.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7E800 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1

Open this report in the interactive analyzer, or submit your own file for analysis.