Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b9d23f3369a48c4…

MALICIOUS

PDF

89.8 KB Created: 2021-06-18 01:56:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07
MD5: a7499738ee79d8a8daf31ae6b06dc84a SHA-1: a70ca2ee72d737bc9249526d0ce8a9914e463ba6 SHA-256: 6b9d23f3369a48c4313773f9201e75c3fee35c21a9c309c2d251249f177ef547
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. Heuristics identified it as a link farm, with many URLs pointing to compromised CMS uploads and disposable hosting, suggesting a phishing or malware distribution scheme. The document body, though heavily obfuscated, contains keywords related to game save data, likely serving as a lure to entice users to click on the embedded malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://itineraire-consulting.com/ckfinder/userfiles/files/repagadulajovo.pdf In PDF document text
    • http://www.hypnotiseur.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a9c8099929b---ruzorurukaj.pdfIn PDF document text
    • https://frontiersneurophotonics.org/wp-content/plugins/formcraft/file-upload/server/content/files/1/1609b7c72dad8e---ludituxam.pdfIn PDF document text
    • https://macleanpinesdrivingschool.com.au/wp-content/plugins/super-forms/uploads/php/files/c2ff9ae5b902b724f036c9415a916b2c/momitapizedefefiwedemej.pdfIn PDF document text
    • http://weberstellen.ch/userfiles/file/gozawalemed.pdfIn PDF document text
    • http://www.benvenutialmare.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607d981eba519---futuwemi.pdfIn PDF document text
    • http://jagodkaprzedszkole.pl/userfiles/file/20747256315.pdfIn PDF document text
    • http://www.leesii.com/wp-content/plugins/formcraft/file-upload/server/content/files/16081e4553f7ac---tujavoxipipep.pdfIn PDF document text
    • http://kham.vn/userfiles/file/29014649296.pdfIn PDF document text
    • https://dsodrecital.com/wp-content/plugins/formcraft/file-upload/server/content/files/16086115ab4982---45795321261.pdfIn PDF document text
    • http://berallebags.com/UploadFiles/FCKeditor/20210530193548.pdfIn PDF document text
    • https://action-roofing.com/wp-content/plugins/super-forms/uploads/php/files/8aaf2b4368cb488b5c1256de7d1af129/75556485352.pdfIn PDF document text
    • http://objetivovender.com/wp-content/plugins/formcraft/file-upload/server/content/files/16083cddd64c5b---julizamebelukigiwobun.pdfIn PDF document text
    • https://wecafephuket.com/wp-content/plugins/super-forms/uploads/php/files/4r0u87fkcua52ka2617s57qnbk/82839572151.pdfIn PDF document text
    • https://www.medicalart.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1606fe66f3be43---wojomidasezozotig.pdfIn PDF document text
    • https://agrotehholding.ru/wp-content/plugins/super-forms/uploads/php/files/894b6b7b7bcb1fb7a13ec39024141a33/90554073767.pdfIn PDF document text
    • https://aquafilling.com/userfiles/file/87143052113.pdfIn PDF document text
    • https://tripleccompanies.com/wp-content/plugins/super-forms/uploads/php/files/1249f1f6c249bb22cba778ec6d40b691/bowebogufufujedibibumel.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://feedproxy.google.com/~r/skout/mBVl/~3/3CAf4wW3hvY/uplcv?utm_term=dragon+ball+z+tenkaichi+tag+team+save+dataPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee85.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE85 5340 bytes
SHA-256: c8080f4e3613b50d9decfa8f00252755edc32e34ff6b208b487001dc21ba0759
font_01_sfnt_off000100e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x100E9 5664 bytes
SHA-256: 203c9797a3dad48ac2edceb2b08170b2c67809f5bbb6be37dbe587af90731ae2
font_02_sfnt_off00011414.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11414 16292 bytes
SHA-256: 15ec0ace9e6bf92fba4823e6a5a5688889e9fa9aa0fbfbfd53f32588fa663c61
font_03_sfnt_off000141c1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x141C1 16196 bytes
SHA-256: 536551dee6876366cf8a5d925709f0aaa9c9f58e9963f4e154d0e8cf77de6ee3