Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ebb252276b19046…

MALICIOUS

PDF

73.4 KB Created: 2021-09-16 07:28:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-11
MD5: 15de6e0dcc0cb7c714bc5f5d133ae7c4 SHA-1: b7f2973558b5e20ee9a65e83fa4d7d492b2a4385 SHA-256: 6ebb252276b190465b7781caee8b47eee731621e2f750749561a5e3d279402d6
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, indicating a high likelihood of malicious intent. The document contains numerous embedded URLs, many of which point to compromised CMS upload storage or disposable hosting, suggesting a link farm designed to redirect users to malicious sites. The presence of PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics further supports this, indicating a tactic to obscure the true destination of the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://philabc.ru/uplcv?utm_term=review+of+tenses+exercises+pdf PDF link annotation
    • https://tims.ro/ckfinder/userfiles/files/dudejikawojogidonuvigudik.pdfIn PDF document text
    • https://kawanmto.net/contents/files/nisemapoweli.pdfIn PDF document text
    • http://giorgimpianti.com/userfiles/file/54161594421.pdfIn PDF document text
    • http://studiophotosfashion.it/userfiles/files/pizija.pdfIn PDF document text
    • http://suliaox.com/v15/Upload/file/20219131649298405.pdfIn PDF document text
    • http://mevlanaasm.com/resimler/files/9050858521.pdfIn PDF document text
    • http://thechitay.com/uploads/userfiles/file/zujujaruwavewa.pdfIn PDF document text
    • https://totalyoumovement.com/wp-content/plugins/formcraft/file-upload/server/content/files/1613e654b0efe4---10014546726.pdfIn PDF document text
    • https://vcubusinesssolutions.com/userfiles/file/33051579395.pdfIn PDF document text
    • http://xhiehchin.com/Xhieh_News/_file/65232794793.pdfIn PDF document text
    • http://denda.co.kr/ckfinder/userfiles/files/52942003649.pdfIn PDF document text
    • https://www.serwkom.pl/plugins/ckfinder/userfiles/files/98412937763.pdfIn PDF document text
    • http://kooijobs.in/ckfinder/userfiles/files/kukenadu.pdfIn PDF document text
    • https://husvagnsexpo.se/wp-content/plugins/formcraft/file-upload/server/content/files/1613c65b393e34---10043623326.pdfIn PDF document text
    • http://thanhnienxp.com/vietkiendo/upload/file/63572316592.pdfIn PDF document text
    • https://manusingh.org/scgtest/eec-new/codelibrary/ckeditor/ckfinder/userfiles/files/30299722725.pdfIn PDF document text
    • https://speeddating.lt/speeddating/ckfinder/userfiles/files/95559974975.pdfIn PDF document text
    • https://www.alertgy.com/wp-content/plugins/super-forms/uploads/php/files/8a088f8a484847592564dcd139e73959/46143252834.pdfIn PDF document text
    • http://youngthisyear.com/ckfinder/userfiles/files/pipufukufibususoxuki.pdfIn PDF document text
    • https://stockbauer.hu/uploads/file/22389040371.pdfIn PDF document text
    • https://artgreen.vn/attachment/files/kuzavonunanifexoked.pdfIn PDF document text
    • http://hamishehbaharcarpet.com/My_Project/Hamishe_bahar/ahar_img/files/56696930382.pdfIn PDF document text
    • http://foire-fromages-et-vins.com/wp-content/plugins/formcraft/file-upload/server/content/files/16142645122599---81072196679.pdfIn PDF document text
    • http://rivebistro.net/ckfinder/userfiles/files/firagilubelitawewax.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ba79.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBA79 17256 bytes
SHA-256: e974cd396c968f7734a50e4a82ac6832352f3d89d60f56bd47ef0b86e5bd3ad1
font_01_sfnt_off0000e71d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE71D 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_02_sfnt_off0000ff34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFF34 10704 bytes
SHA-256: 6d0dd3871ab36c238284d83b6efdd297bd90b0befacb399dcc1f9126abcfd188