Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e62d7714f45d609…

MALICIOUS

PDF

83.3 KB Created: 2021-06-29 22:56:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: bc44effc1113b8785acf4cb0112d5827 SHA-1: 58b01992e6655ee1a2f19d0ed445201d5009a19e SHA-256: 5e62d7714f45d609e08dd3595c4c3e75f3fcf74281b52bcef75eb652f93a245c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains a large number of embedded URLs, many of which point to compromised WordPress sites or disposable hosting, suggesting a link farm designed to redirect users to malicious content. No scripts were extracted, but the presence of numerous suspicious URLs indicates a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9964

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/uplcv?utm_term=painless+normal+delivery+injection+cost
    • http://studiodrago.eu/userfiles/files/52388513383.pdf
    • http://hi-reid-solutions.com/wp-content/plugins/super-forms/uploads/php/files/906333606dbe5f37518a969b7330be67/dewiboxifameved.pdf
    • https://systematix.pl/userfiles/file/zevemovagidufulituzo.pdf
    • http://svaz-podnikani.cz/files/file/17848196883.pdf
    • https://www.infratechgroep.nl/wp-content/plugins/super-forms/uploads/php/files/0954e4aca40e476fa70d0fff6d8a8ac0/83084040341.pdf
    • http://maasmartcity.com/userfiles/file/sijit.pdf
    • https://www.vigo.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160a9f9fde8c48---tikafasoxasa.pdf
    • http://madang.eu/f_pds/fck/file/59209422396.pdf
    • https://jnfarley.com/wp-content/plugins/super-forms/uploads/php/files/n90llh19ft41d3lg0hhqk2p4m3/27698719830.pdf
    • http://caryhigh1987.com/clients/41333/File/morajek.pdf
    • https://www.glasswindowequipment.com/wp-content/plugins/super-forms/uploads/php/files/6e5145b8d46ad4b102d9060aa460a1fd/94306261337.pdf
    • http://99hospitalitygroup.com/ckfinder/userfiles/files/tupofipadesovug.pdf
    • http://aaaexpressac.com/userfiles/file/3181361983.pdf
    • https://asharfilalkulfi.com/ckfinder/userfiles/files/51803435197.pdf
    • https://samarpanbharat.org/trila/userfiles/file/72936475507.pdf
    • http://iphysiology.ru/upload/giromapelateroruso.pdf
    • http://magendans.com/imagefiles/file/gajuzarexetonapizegu.pdf
    • http://globalbando.com/DATA/upload/files/202106291859111565.pdf
    • https://alamansyria.com/userfiles/file/zemavanipe.pdf
    • http://photographybynami.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607835c964d51---98447423049.pdf
    • https://thewaves.net/wp-content/plugins/super-forms/uploads/php/files/kgc0psflvmiv1d2ujtfcb6d9d8/97670906028.pdf
    • https://gregor-biffiger.ch/userfiles/file/bosunosigexupozunis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e379.bin
90ed08a5d396a68ea922666c613131e7c82ab5598de9474fd9ab2134e7ad7de7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE379 16656 bytes
font_01_sfnt_off00010ec9.bin
059a7e70714c967673cfaa50c99d98d7e7b5b70ff0a55efa79cc456117e0faab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10EC9 10844 bytes
font_02_sfnt_off000127cb.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x127CB 16792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.