Malicious PDF — malware analysis report

Static analysis result for SHA-256 63cc5e2999957e5c…

MALICIOUS

PDF

100.5 KB Created: 2021-06-26 09:10:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20
MD5: 14fd25c16e4958a56bf7868357e4cc98 SHA-1: 8df3e5bb2172d4c03d3d0b32f56f7346aa4f4bfb SHA-256: 63cc5e2999957e5cf616db88f0a96719a2989dc658c156d15fd7de1452fe8cf3
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a phishing or trojan threat. It contains a link farm pointing to compromised WordPress sites, likely intended to trick users into downloading further malicious content. The presence of embedded URLs and the nature of the heuristics suggest an attempt to distribute malware or facilitate phishing attacks.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9887

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://samiznojmo.cz/wp-content/plugins/super-forms/uploads/php/files/dee7d86cadf1f140230784a25b0063c7/werali.pdf In PDF document text
    • https://sellerflows.com/wp-content/plugins/super-forms/uploads/php/files/be002925a9aadece427e11c59fd386fd/bapavepedumunibaxaxetejen.pdfIn PDF document text
    • http://conservationenergy.com/wp-content/plugins/formcraft/file-upload/server/content/files/1606d3c9401e00---56370352081.pdfIn PDF document text
    • http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607e110343b92---letubiti.pdfIn PDF document text
    • http://xn--80ackbssfuieecff0e8c.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/7q7htqta2f1k4nphbahfaitm04/gawumibijosetamo.pdfIn PDF document text
    • http://www.iycadana.org/wp-content/plugins/super-forms/uploads/php/files/h7oatjko0aruv6k10bocbq6mo1/43585637643.pdfIn PDF document text
    • http://re-view.online/fckFiles/file/36787583741.pdfIn PDF document text
    • http://xn--om2b25zm6igqb.com/ckupload/files/kipokowe.pdfIn PDF document text
    • https://www.propertyfilevault.com/wp-content/plugins/super-forms/uploads/php/files/bd5781432fd72f95090dfae7e9c7d7a4/12813396222.pdfIn PDF document text
    • http://call.ae/wp-content/plugins/formcraft/file-upload/server/content/files/160acbd14cc8f7---92793977135.pdfIn PDF document text
    • https://wisserarm.nl/app/webroot/files/userfiles/files/luxesumevedixag.pdfIn PDF document text
    • http://futuresbuilder.net/dayafter/uploadimages/newsimages/file/24571171754.pdfIn PDF document text
    • https://pypconsultores.mx/userfiles/file/9958177693.pdfIn PDF document text
    • http://blackhorsesc.pl/userfiles/file/94305902520.pdfIn PDF document text
    • http://xn--or3bi2da319p.com/upload/fckeditor/file/lebodepogugoku.pdfIn PDF document text
    • https://infoenergie-loire.org/userfiles/file/bababikosobimat.pdfIn PDF document text
    • http://photographybynami.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bfb2ddc59cc---fawesigigevelejapepex.pdfIn PDF document text
    • http://shmountaineering.co.uk/wp-content/plugins/super-forms/uploads/php/files/d9vdtobt22hdqit8ki6tqdf8l6/tutebevakuzedotugabufuxe.pdfIn PDF document text
    • http://asirius.su/wp-content/plugins/super-forms/uploads/php/files/a7e64ef95b16fe443e451e9bdf2640a2/33111454595.pdfIn PDF document text
    • http://www.champcaregivers.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607663c9e8a2b---niwibafinikusabekuv.pdfIn PDF document text
    • https://robotics-institute.com/wp-content/plugins/super-forms/uploads/php/files/f4k5480obs7rsrr4vasg3eupig/2895927304.pdfIn PDF document text
    • https://suhrsmad.dk/wp-content/plugins/formcraft/file-upload/server/content/files/16079d3dd4dbba---12148728779.pdfIn PDF document text
    • http://tkhomedeco.com/assets/uploads/ckedit/files/20210625033244.pdfIn PDF document text
    • https://frontiersneurophotonics.org/wp-content/plugins/formcraft/file-upload/server/content/files/1/16093e618e6e16---debolef.pdfIn PDF document text
    • http://www.gametimecatering.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607082acdaba4---61501984648.pdfIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/YTWXjIUwRh0/uplcv?utm_term=download+2pac+dear+mama+songPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010cb2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB2 10872 bytes
SHA-256: 05970687e8134a902b3e733f49c07829a769c3f13d0ff1a194716e659c8cccee
font_01_sfnt_off000125ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x125BA 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off00013dcc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13DCC 18348 bytes
SHA-256: c9cd79c95f369e94fc70cea2015d7fa8bb58556d0390117b71474e587f3db964
font_03_sfnt_off00016e68.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16E68 16188 bytes
SHA-256: 43aaf6b7257293a9fb3df01e9826f837cf2b9b92f506adc28ae8aac51b7d6941