Malicious PDF — malware analysis report

Static analysis result for SHA-256 6cb7a1a303a8dfbc…

MALICIOUS

PDF

82.0 KB Created: 2021-09-17 14:47:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-27
MD5: 7ec582a43137c62d41873ea452dd9d58 SHA-1: d6fa36819de62c0bd68f06fb575a5c4a5a1bd50f SHA-256: 6cb7a1a303a8dfbcacfce01aa0f3669107227fe8e8c7fea82281c21f0e9640fd
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by ML classifiers and ClamAV as malicious. It contains a large number of embedded URLs, many of which point to compromised websites or disposable hosting, indicating it functions as a link farm. The primary purpose appears to be directing users to external sites, likely for phishing or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://medvor.ru/uplcv?utm_term=roots+novel+pdf PDF link annotation
    • http://limuzine.md/userfiles/file/dudufazamumipivanu.pdfIn PDF document text
    • http://rc-mst.com/mst/_upload/files/bilowuv.pdfIn PDF document text
    • https://www.dazzlingdecor.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/16131b04465e59---16411664245.pdfIn PDF document text
    • http://zdravi-kromeriz.cz/files/file/30208589019.pdfIn PDF document text
    • http://carbontuning.ru/file/10847632122.pdfIn PDF document text
    • https://evocative.ru/wp-content/plugins/formcraft/file-upload/server/content/files/1614040003129d---57386754662.pdfIn PDF document text
    • https://ourlady-schools2.com/userfiles/files/81100545326.pdfIn PDF document text
    • https://humantouchtranslations.com/wp-content/plugins/formcraft/file-upload/server/content/files/1/161410b92331a2---nenanonulabowapapikesinuz.pdfIn PDF document text
    • http://efuturesthai.com/uploads/files/kupowogizu.pdfIn PDF document text
    • https://beldapin.com/calisma2/files/uploads/14505439981.pdfIn PDF document text
    • https://slotpt2.com/contents/files/juvobo.pdfIn PDF document text
    • https://magicdiscoradio.com/userfiles/file/dumoxuxuzamivemalab.pdfIn PDF document text
    • http://sensor4you.com/fckeditor/editor/filemanager/connectors/php/fckeditor/upload/202109/file/birununiputudu.pdfIn PDF document text
    • http://firmykominkowe.pl/Obrazki/edytor/file/xakowapugososojixojoruz.pdfIn PDF document text
    • https://eliteswimmingpoolsinc.com/wp-content/plugins/super-forms/uploads/php/files/sqbi62mh0u73d49iojo5qi8ps5/9119769375.pdfIn PDF document text
    • https://abouelhoulgroup.com/userfiles/files/9794360753.pdfIn PDF document text
    • https://funcarele.com/ckfinder/userfiles/files/nomisifutagivokawosutela.pdfIn PDF document text
    • http://chinhsuasolieu.com/media/files/76266542812.pdfIn PDF document text
    • http://cs-golfclub.com/ckupload/files/lelolexamidomatarus.pdfIn PDF document text
    • http://kppzp.pl/userfiles/file/23120539647.pdfIn PDF document text
    • https://bawaniint.com/ckfinder/userfiles/files/12544567764.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000de01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDE01 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000f613.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF613 17736 bytes
SHA-256: f324348c31d048b7cf23863133ff5aba953e768d0710483937536dad812a8cd6
font_02_sfnt_off0001234e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1234E 10248 bytes
SHA-256: d4cf7a300c0a7a2ff1ad7acff7aef6f7223abb8c6cbc89b25bdb59d171277fe6