Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c8cd35252b90e42…

MALICIOUS

PDF

65.4 KB Created: 2021-06-09 00:21:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 2488e21dca9efc8a472a274c912713bf SHA-1: 283a7493c37c63a8f43940b40739ec5e113af743 SHA-256: 5c8cd35252b90e4216dba347d3a13ac7ccca5d2abae37207a4a37561a9bab723
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ClamAV and an ML classifier. It contains multiple links pointing to compromised websites and disposable hosting, suggesting a phishing or malware distribution scheme. The document body, though heavily obfuscated, references 'Star wars rpg allies and adversaries pdf', likely a lure to disguise the malicious intent. No scripts were extracted, but the presence of numerous external URLs indicates a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9708

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://allytemp.ru/uplcv?utm_term=star+wars+rpg+allies+and+adversaries+pdf PDF link annotation
    • http://iccarrentals.com/files/file/16222341169.pdfIn PDF document text
    • https://www.stjohnhomelessshelter.org/wp-content/plugins/super-forms/uploads/php/files/146d7b0d8c308b29887b8e780f854850/soxiwagumexune.pdfIn PDF document text
    • https://www.criteriainvest.com.br/wp-content/plugins/super-forms/uploads/php/files/j1dbsibsn32709rf3v6n383ss9/lubowilozeles.pdfIn PDF document text
    • http://petukmahaaaraj.com/userfiles/file/vimiripojam.pdfIn PDF document text
    • https://janeunchained.com/wp-content/plugins/super-forms/uploads/php/files/ujncprqa3j5so2mjsgmhgro1ie/pigiki.pdfIn PDF document text
    • http://poiskvod.ru/images/file/nidozorabepetawasijewi.pdfIn PDF document text
    • https://alignerco.com/wp-content/plugins/super-forms/uploads/php/files/3a1d6f9f6994624d094a363888b888ec/jomaxivuxekuwane.pdfIn PDF document text
    • http://sciencevier.com/wp-content/plugins/formcraft/file-upload/server/content/files/160807715d77a0---fedoxoj.pdfIn PDF document text
    • http://homenet-spb.ru/userfiles/file/62133122258.pdfIn PDF document text
    • http://www.theflightfest.com/wp-content/plugins/formcraft/file-upload/server/content/files/160afafc8a9035---gigimasupojijo.pdfIn PDF document text
    • http://shannonlakeestates.org/fck_images/file/rozilibilasedumade.pdfIn PDF document text
    • https://mobistore.co.nz/wp-content/plugins/super-forms/uploads/php/files/75fe16e0578f99c91d91a3d0ac3e68f5/51994590566.pdfIn PDF document text
    • http://novaserv.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606c7ba976b46---74804123293.pdfIn PDF document text
    • https://www.hospedeagora.com.br/wp-content/plugins/super-forms/uploads/php/files/0djstmaa886mssdldih7641svf/20817179719.pdfIn PDF document text
    • https://www.chauffeur-prive-nice.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16075c1dd7f786---51198130109.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cd21.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCD21 5464 bytes
SHA-256: 9be5ee7e0d45757afb0cb1422a47612ca7eea4f16ca50776408ee7686d1e561d
font_01_sfnt_off0000dfdd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDFDD 10368 bytes
SHA-256: da94265cab47228a6f5cb1175ef58314c85e156779f3292b03be9ade04dfbbe0