Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c7f8bcd02778789…

MALICIOUS

PDF

238.4 KB Created: 2021-07-01 10:30:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 52e7f7a2edd07c3503b6090c7602498d SHA-1: fb5fbb5628233136bf3b649a0ef9d42526c5d65e SHA-256: 6c7f8bcd027787895ce64b7d0df0123cc9010466329bf445232d24d2d3e3fee9
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple links to external websites, many of which are hosted on compromised WordPress sites, suggesting a phishing or malware distribution campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. The presence of urgency language in the document body further supports a lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9352

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://archism.ru/uplcv?utm_term=jingle+all+the+way+full+movie+free
    • https://bladmedyczny24.pl/wp-content/plugins/super-forms/uploads/php/files/05cb81b496d335e05842f7edbdc92934/24933083931.pdf
    • https://www.sadcmedia.com/wp-content/plugins/super-forms/uploads/php/files/f0vf24dvqkj9leekd6sp7g6tf6/90846565767.pdf
    • http://www.chicagoalphas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160860ce2c67f3---18790721014.pdf
    • https://www.ptlittleflower.org/wp-content/plugins/super-forms/uploads/php/files/1vkvp4p1rqadcvvbsf8bv3oqe3/54374038014.pdf
    • https://samavetpharm.com/userfiles/files/waxonazare.pdf
    • http://resortvillairene.it/userfiles/files/favubuw.pdf
    • http://www.segurosfacility.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/1609d2cae6cf00---95379867497.pdf
    • https://www.entornopublicitario.com/wp-content/plugins/super-forms/uploads/php/files/d961dd22b86f27dfde87019117a5d468/22797729940.pdf
    • https://singaporenotarypublic.com/wp-content/plugins/super-forms/uploads/php/files/8b17811f7c6f417831d37e073e4350ad/38803575628.pdf
    • http://4bx.pl/public/file/16304948647.pdf
    • http://ebsenglish.net/_UploadFile/Images/file/68563962699.pdf
    • https://commonwealthsportsawards.com/userfiles/file/biterejidesaso.pdf
    • https://amenagementsoleil.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a285c7e6a66---53583792534.pdf
    • http://youngshiny.com/userfiles/file/1624289678.pdf
    • http://foire-fromages-et-vins.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a0097456830---81051294867.pdf
    • http://ahdjcm.com/upload/files/31961262360.pdf
    • https://ontime-taxi.kg/wp-content/plugins/super-forms/uploads/php/files/de139b44ed177935b8cdbdd04e7392ce/dizumatixejutazekunuvijak.pdf
    • http://scandirent-new.ru/uploads/assets/file/53078430726.pdf
    • https://narimasu-chintai.net/jcfiles/file/85981199258.pdf
    • https://moscowfashion.net/content/xuploadimages/file/77486280662.pdf
    • https://yuktiedu.com/wp-content/plugins/super-forms/uploads/php/files/80a3077fe522b3409f01e6466dc34a72/83286048904.pdf
    • https://refundsrefunds.com/wp-content/plugins/formcraft/file-upload/server/content/files/160933045b725d---45840394093.pdf
    • http://coinproject.com/userfiles/image/file/14623932262.pdf
    • http://colleges-in-tamilnadu.com/FCKeditor/userfiles/file/giserapunudem.pdf
    • https://rhythmcprandfirstaid.com/wp-content/plugins/super-forms/uploads/php/files/c8ca0f7afa8d1e9f0f13e84351cfed87/10535911252.pdf
    • https://serwisnawigacji.pl/userfiles/file/85522952959.pdf
    • https://thewaves.net/wp-content/plugins/super-forms/uploads/php/files/tt9bgkarbak8bd78phqck67gjt/26418817888.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003148e.bin
2ef351f2907fe0ed3ef336c826a50de6a3009461dc9c4b77b9fa3abecf815c98		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3148E 4340 bytes
font_01_sfnt_off00032530.bin
006f187d4c7902677b2856cc98a5c8f9c1d212a35cf6ad790bcac41b04031a3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32530 17084 bytes
font_02_sfnt_off00033e36.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33E36 16792 bytes
font_03_sfnt_off0003564d.bin
0f4a68a8fc26e4e66ca78205c7f0c3144f9943506382340de0f5aa19962dac3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3564D 10848 bytes
font_04_sfnt_off00036f34.bin
11622150993ccbe0259758391d5a05cd14619a39c8cc2c7899c1762468d91db2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36F34 24436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.