Malicious PDF — malware analysis report

Static analysis result for SHA-256 6162498c656d2431…

MALICIOUS

PDF

80.1 KB Created: 2021-09-08 00:02:24 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: bc39bb6fc63187c868af2ef4e2f5450a SHA-1: 4f57aeb2c4bd07914398137f18f6221ef7060a27 SHA-256: 6162498c656d2431fb05086008ed03113a83992e003b70221282559c7c4d442d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links to external websites, many of which are hosted on compromised WordPress sites or disposable domains, indicating a link farm designed to distribute malicious content. ClamAV detection and ML classification confirm the malicious nature of the file. The presence of multiple PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics strongly suggests a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9781

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://indiebookoftheday.com/wp-content/plugins/formcraft/file-upload/server/content/files/160713c4dce074---modugipujesobabidumo.pdf
    • https://ecef-groupe.com/wp-content/plugins/super-forms/uploads/php/files/mrefmqn3mfj2klnorkq9i6hm86/19453115009.pdf
    • http://www.expertnutritionadvisor.com/wp-content/plugins/formcraft/file-upload/server/content/files/16102e4a84820e---ruremuvomixun.pdf
    • https://burmesecatclub.nz/wp-content/plugins/super-forms/uploads/php/files/855ded7808c7727287099aef5965db22/demimisuzipuvejafaxez.pdf
    • http://baodieptailor.com/uploads/2021-06-21/images/files/sukufasaxonixigi.pdf
    • http://penoplex24.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1608e9a23d2c6e---rodulurisovopijakefaz.pdf
    • https://heider.ru/wp-content/plugins/super-forms/uploads/php/files/3a3c2caf6ae20bb7ae19f1c6a5291b0e/vodijokozunekireluxuju.pdf
    • https://www.sabiamente.es/wp-content/plugins/formcraft/file-upload/server/content/files/16128f0dc7685b---45409455002.pdf
    • https://estigotours.com/wp-content/plugins/super-forms/uploads/php/files/c334ac55e7fbacd944d90a6e25349b97/71097365729.pdf
    • http://personal.sut.ac.th/chantira/port/ckfinder/userfiles/files/97615697025.pdf
    • http://thanhlamresort.vn/wp-content/plugins/formcraft/file-upload/server/content/files/1612776862b30e---50666585026.pdf
    • http://www.ncstarim.com.tr/wp-content/plugins/super-forms/uploads/php/files/7jlfl5ihgvskmar5ak63j44253/13844197659.pdf
    • https://ktmcollege.org/public_html/userfiles/file/tagazodetonubipinasugit.pdf
    • https://hawkseyetravels.com/assets/ckfinder/userfiles/files/29994338340.pdf
    • http://acecaalcoy.com/userfiles/file/86628625260.pdf
    • http://ecologie-energie.com/userfiles/file/bisaxapumupakolurigan.pdf
    • https://teenvolunteer.org/wp-content/plugins/super-forms/uploads/php/files/ea51d1ca77254d8632267803986803b9/96162856307.pdf
    • https://ifacemount.com/wp-content/plugins/super-forms/uploads/php/files/8b84v0g8pro04c5g7s33ro4e92/82535633470.pdf
    • https://www.hed-endo.hr/wp-content/plugins/formcraft/file-upload/server/content/files/160717ae8c10c8---zubaxopabefavukef.pdf
    • https://dianthusindustrial.com/resimler/files/88642476898.pdf
    • http://ambulanceservice.pl/userfiles/file/5578655636.pdf
    • https://giustofiori.it/file/fisugus.pdf
    • http://sjatupornservices.com/file_media/file_image/file/xetotuneruvu.pdf
    • https://homeaestheticsllc.com/wp-content/plugins/super-forms/uploads/php/files/d6b8b3d72af369ea243f86ed86db9d8c/85860571762.pdf
    • http://bobmeetin.com/media/galleries/files/novulav.pdf
    • http://baharemadinah.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d532a4f11d2---17182610716.pdf
    • https://feedproxy.google.com/~r/skout/mBVl/~3/ngfLrbzwjls/uplcv?utm_term=margaritaville+blender+owner%27s+manual
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000ee2d.bin
33cf2f5fae4ed3b1237dfabdb014fef834db0984ed9377437e8d8c2b916bed39		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEE2D 17992 bytes
font_00_sfnt_off0000bca4.bin
12a7d8026e3788e332702d7bdbd7070fbefe85bd62db7ce8f41aa60233bf6c4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBCA4 11012 bytes
font_01_sfnt_off0000d61c.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD61C 16792 bytes
font_03_sfnt_off00010a69.bin
1cdac766e3bd30a596132d619e03ea5c7f31acd90199394da960036d25af696f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A69 15860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.