Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d72a0965f2b5574…

MALICIOUS

PDF

97.6 KB Created: 2021-09-08 01:17:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 7423863b49bf5745a0c8b23010b71418 SHA-1: a5a3ba7be2cb1837cdd0bf01274a52c8a3debf3a SHA-256: 5d72a0965f2b5574fda67c654a8e84fd49291130e9d546b8ba094aa8626d68bf
216 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple heuristics indicating it is part of a link farm designed to host malicious content, with several URLs pointing to compromised WordPress sites. The 'SE_CALLBACK_LURE' heuristic strongly suggests a callback phishing or tech-support scam pretext, aiming to trick users into initiating contact. While no scripts were directly extracted, the overall structure and URL patterns are indicative of a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9888

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.onekaddy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608497f65a8bf---wusabutebi.pdf In PDF document text
    • http://lbs.ac.at/wp-content/plugins/super-forms/uploads/php/files/i24if92rg870tgpkj01pc2p42t/xopivosofuju.pdfIn PDF document text
    • http://www.northeastmarquees.com/wp-content/plugins/super-forms/uploads/php/files/0afed7e380b544e9eda03ceda57fda05/bujilajore.pdfIn PDF document text
    • http://kennyre.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b85ba2734ab---murenerixumukevizipafemon.pdfIn PDF document text
    • https://bloc-immo.com/images/vigob.pdfIn PDF document text
    • https://shining4u.com/wp-content/plugins/super-forms/uploads/php/files/7173221a5967d05390c5098c337251d1/49907735009.pdfIn PDF document text
    • http://sanders-scottfamily.com/clients/26926/File/96785570347.pdfIn PDF document text
    • https://fonixkoncert.hu/upload/file/13057415202.pdfIn PDF document text
    • https://aviseco.ro/userfiles/file/4934839561.pdfIn PDF document text
    • https://www.helpfulhunks.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160d5d09d19c9d---91100212373.pdfIn PDF document text
    • http://atut-biuro.com/uploaded/file/xofiriwod.pdfIn PDF document text
    • http://ackerviewguesthouse.com/userfiles/file/zisuvez.pdfIn PDF document text
    • http://sbkf.org/files/files/mosalirezibejudo.pdfIn PDF document text
    • https://saraelv.no/wp-content/plugins/formcraft/file-upload/server/content/files/160773264dd75f---milabepefupodimotemab.pdfIn PDF document text
    • https://www.tri-or.fr/tri-or/ckfinder/userfilesfiles/63191157967.pdfIn PDF document text
    • https://ms02bet.net/contents//files/99411111227.pdfIn PDF document text
    • https://luxmarketing.agency/wp-content/plugins/super-forms/uploads/php/files/ajieaivpb9q3oib6dfe6fmsirv/228925835.pdfIn PDF document text
    • https://askopenko.com/wp-content/plugins/super-forms/uploads/php/files/1dae556c3162dbb3992dba45d15f14c3/37842400578.pdfIn PDF document text
    • https://itacademyindia.com/ckfinder/userfiles/files/sulujo.pdfIn PDF document text
    • http://myucmas.com/userfiles/file/xesuvipipawebujekijulal.pdfIn PDF document text
    • http://www.sunarnuricomuisvealisverismerkezi.com/wp-content/plugins/super-forms/uploads/php/files/65d3tnt9r4s58k71ksks0v1iv0/jusaxibatanesekevijapo.pdfIn PDF document text
    • https://sportli.co.il/wp-content/plugins/formcraft/file-upload/server/content/files/1609b70705d4d6---fugarenanobekenapadegeb.pdfIn PDF document text
    • https://bombapin.com/calisma2/files/uploads/14126840336.pdfIn PDF document text
    • https://braviengenharia.com.br/wp-content/plugins/super-forms/uploads/php/files/kgh91227hneo6ggv16oag94cj9/21913395441.pdfIn PDF document text
    • https://kamber.dk/wp-content/plugins/super-forms/uploads/php/files/3dd444c97d4380a3ca59792ef3df1cd4/pewininimokosofexik.pdfIn PDF document text
    • http://nhatrangpalace.net/app/webroot/upload/files/xupogugemomibufo.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/S30rS-6n6vg/uplcv?utm_term=melanie+klein+biography+pdfPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001141c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1141C 10852 bytes
SHA-256: 612790a1fcf6640f4076ed2efef45c396c6b9908a01a65999dabc80953d4df32
font_01_sfnt_off00012c9c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12C9C 19776 bytes
SHA-256: 2b1408a25416850e77cf2b4f6d2a856137ea458c9a110f0bc1d8c97f26343d76
font_02_sfnt_off0001600e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1600E 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1