Malicious PDF — malware analysis report

Static analysis result for SHA-256 5cc0baf5e399998b…

MALICIOUS

PDF

232.6 KB Created: 2021-06-19 08:51:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7c31cb3c312e749d4d1564ead3412c12 SHA-1: 3057bf55868ca14ae1f33b9d5da656756acab20f SHA-256: 5cc0baf5e399998bf1bbe0a72745eea480250ddaa295f13f14d39f4a3b06f9bf
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple links pointing to compromised WordPress sites, likely intended to host and distribute malicious files. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing trojan. While no scripts were directly extracted, the presence of numerous embedded URLs suggests a downloader or phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9863

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dsodrecital.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076913f9a371---23090432273.pdf
    • http://doks-films.com/pcms/content/file/39346615634.pdf
    • https://flycam.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/160c22af1c29aa---50394157748.pdf
    • https://alatheir.com/atheirwsfiles/file/60146436715.pdf
    • http://kyanite.tv/userfiles/file/43172628980.pdf
    • https://htfcompact.com/wp-content/plugins/super-forms/uploads/php/files/a3fcafa61688f99f03d82388eb4b1475/63108519022.pdf
    • https://www.geosuiteonline.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a637247fbb2---besesusifan.pdf
    • http://birzebbugastpetersfc.com/files/file/pepetowe.pdf
    • http://interstyle.org/content/xuploadimages/file/4262187029.pdf
    • http://ganan10.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1609b745829a78---1736760663.pdf
    • http://bilagroup.com/wp-content/plugins/formcraft/file-upload/server/content/files/160743f5dc4e41---kujojefukoxogejimiwimaw.pdf
    • https://weblative.com/wp-content/plugins/super-forms/uploads/php/files/inrpbsgkvog0jbjc2jb28llnq9/13560797319.pdf
    • http://constructionone.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160722dbe2f364---75335131123.pdf
    • https://www.bluegreenshouseboats.in/wp-content/plugins/formcraft/file-upload/server/content/files/1607f7fe6cf046---36213876980.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.opentle.org
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=rufus+uefi+ntfs
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://www.gnu.org/licenses/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0002067a.bin
f298ce56538a718dc83fcaa177ac328922022255b825bb892b8e0ff629ede978		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2067A 110384 bytes
font_01_sfnt_off00032507.bin
c6c59bdfb23fa60e9b476f4ebf901b11019237b1aa966748abf4d0bba71da75a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32507 4432 bytes
font_02_sfnt_off0003342c.bin
0b38f6fd5e0b54bfa22d5adee1cfe00629fe134100fc7cfc1ad14a2ab7974207		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3342C 6148 bytes
font_03_sfnt_off0003440c.bin
a39e9629610defca1da6f8aea1a58417f1b74fb269c7bedb12ae3f9d39f734a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3440C 16152 bytes
font_04_sfnt_off000374b8.bin
c4f1f5fa342b087b06f18443ce0587be8e4aae3cde279cbfb74df8af15b4ddc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x374B8 19372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.