Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e1f2f1dc63a50f5…

MALICIOUS

PDF

141.3 KB Created: 2021-07-19 10:17:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-15
MD5: 4e70aeb4b3c15a8ba525dc6647b052c2 SHA-1: 28632651acd6152201754bd039342069fcebb3a2 SHA-256: 6e1f2f1dc63a50f5f82a507771a432f0816718c77bce23459d5998d7a6dd1b14
304 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

This PDF document exhibits multiple high-severity heuristics indicating malicious intent, including fake CAPTCHA prompts and clipboard command execution lures. The document's structure suggests it is designed to trick users into running commands, likely to download and execute a second-stage payload. The presence of numerous URLs, many pointing to compromised CMS uploads or disposable hosting, further supports a malicious phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8666

Heuristics 10

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • Fake CAPTCHA with command-running instructions critical SE_FAKE_CAPTCHA_CLICKFIX
    Document combines fake CAPTCHA or human-verification language with instructions to paste or run a command — a high-confidence ClickFix pattern
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.dazzlingdecor.co.uk/wp-content/plugins/formcraft/file-upload/server/content/files/1607b8fc26eef5---xinixugilupalafeguvalap.pdf In PDF document text
    • https://arhometutor.com/userfiles/file/gidejanimak.pdfIn PDF document text
    • https://abyway.lv/images/ck_images/files/97367577879.pdfIn PDF document text
    • https://specialbrands.gr/wp-content/plugins/super-forms/uploads/php/files/37edc3bb8c2bc374c0958d8bc3facb8d/fusalofemapaveguzoj.pdfIn PDF document text
    • http://ghettaetamionarchitetti.it/userfiles/files/tetotunusawokevadarima.pdfIn PDF document text
    • https://www.mybizwebsites.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b3a75ee3623---tuvewi.pdfIn PDF document text
    • https://kildevangen.dk/files/48556820712.pdfIn PDF document text
    • http://blackhorsesc.pl/userfiles/file/54859709777.pdfIn PDF document text
    • http://www.nanodrywash.com/wp-content/plugins/formcraft/file-upload/server/content/files/160b7e75f8cb6d---68469671173.pdfIn PDF document text
    • https://semsaesp.com/ckfinder/userfiles/files/rited.pdfIn PDF document text
    • http://www.ebsjosepirosamaria.com/wp-content/plugins/formcraft/file-upload/server/content/files/160730c8ada70c---23644342098.pdfIn PDF document text
    • http://tinhdaurosa.com/Images_upload/files/nemeb.pdfIn PDF document text
    • https://akapacha.com/userfiles/file/mowurewemojetelefuduri.pdfIn PDF document text
    • http://math-talk.kr/wp-content/plugins/super-forms/uploads/php/files/4bgdb9f15mud4ljg73fqke86q3/13845271239.pdfIn PDF document text
    • https://beautyyaurient.com/editor_upload/file/pefizagoruzasox.pdfIn PDF document text
    • http://camwater.org/media/files/roguwovazola.pdfIn PDF document text
    • http://salonlomi.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16074388174f7a---dexeresadiditumolege.pdfIn PDF document text
    • https://c4ir.ae/wp-content/plugins/super-forms/uploads/php/files/updtjq97l5o4pujcs5ljtn8rh5/xagox.pdfIn PDF document text
    • http://machinegroup.ru/img/outer/files/16541898800.pdfIn PDF document text
    • https://2greenchicks.com/wp-content/plugins/super-forms/uploads/php/files/661a6dc5002d45f9809ed59e2aeb010b/jizosopebixifozuwajib.pdfIn PDF document text
    • http://brothersaluminium.com.np/wp-content/plugins/formcraft/file-upload/server/content/files/160dee596d178d---28198486602.pdfIn PDF document text
    • https://flylights.pl/wp-content/plugins/super-forms/uploads/php/files/itcodlhebpfvtkm5801kobn7d2/rudizobiwoka.pdfIn PDF document text
    • http://simonkuehner.de/gfx/userfiles/files/28195834561.pdfIn PDF document text
    • http://call.ae/wp-content/plugins/formcraft/file-upload/server/content/files/160855c2fb7df5---66277903982.pdfIn PDF document text
    • https://gpuhub.net/wp-content/plugins/super-forms/uploads/php/files/uv7or6fhrp1amvofdjf0ca786e/55623555319.pdfIn PDF document text
    • http://rubivina.com/Images_upload/files/67656041192.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/BvfzZFkJO3s/uplcv?utm_term=roblox+exploit+source+code+2020PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00019472.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19472 16496 bytes
SHA-256: 36ab8ee6ceb95a0a7747728201e51323a72fe0eaa0ab4e943b81dec5307a26f4
font_01_sfnt_off0001aae6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AAE6 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0001c2f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C2F3 2408 bytes
SHA-256: ffac756d99fede62422180a9219103402dfab4c0746f2e1f2c81f2f70365ff17
font_03_sfnt_off0001cd94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CD94 10872 bytes
SHA-256: ad3b014ccd63e92d6837424c8c272b31458405881f0d967d13059b6d92419ec4
font_04_sfnt_off0001e6a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E6A2 26304 bytes
SHA-256: 6c3503f48ddedb37c70c2343bca177c604bc1f51369e6e8ef415d1cffeaf90a4