Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ef1d3330c948f12…

MALICIOUS

PDF

93.7 KB Created: 2021-09-06 06:56:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-14
MD5: f1a7dbb68b4a9dbe7416d9e493a75999 SHA-1: f3b70e0ff94f280474809c2f814fa320da00305c SHA-256: 6ef1d3330c948f129779e88460b8db10faaca6dd41de6d4d4acae062d8b15b53
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample contains embedded JavaScript, a common technique for executing malicious code within PDFs. This script likely redirects the user to external URLs, as indicated by the numerous PDF_SEO_DISPOSABLE_LINK_FARM and PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM heuristics. The ClamAV detection further confirms its malicious nature, classifying it as a phishing trojan.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2938

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.conkite.com/wp-content/plugins/super-forms/uploads/php/files/bed6dc19211c736cdebddb5b0328756c/mudotuke.pdf In PDF document text
    • http://pamat.ro/UserFiles/file/nulurowez.pdfIn PDF document text
    • http://www.dnevi-sekretarjev.eu/wp-content/plugins/formcraft/file-upload/server/content/files/160795a1b6805f---57771972493.pdfIn PDF document text
    • https://patc.fr/imagesfile/93671179071.pdfIn PDF document text
    • https://afriqueitnews.com/wp-content/plugins/super-forms/uploads/php/files/6c3f4f15f9997b00703bf4a22b606f32/zuwexuzi.pdfIn PDF document text
    • http://stsaischoolamritsar.com/slbdavbatala/userfiles/file/36430473836.pdfIn PDF document text
    • http://giasuminhtam.com/Images_upload/files/22970776832.pdfIn PDF document text
    • http://www.onekaddy.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c97d9ff2f56---mogedel.pdfIn PDF document text
    • http://jockmurray.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c2a7801467b---pulezobebopaw.pdfIn PDF document text
    • http://indiebookoftheday.com/wp-content/plugins/formcraft/file-upload/server/content/files/160ab211dbaf82---6874876395.pdfIn PDF document text
    • http://schodylux.pl/userfiles/file/talovaneneforazimusopir.pdfIn PDF document text
    • https://theelementrama9.com/userfiles/files/38680512121.pdfIn PDF document text
    • https://win-win-keiba.site/js/ckfinder/userfiles/files/93153299194.pdfIn PDF document text
    • http://frickcontrols.com/uploads/files/85868419870.pdfIn PDF document text
    • http://richmediahouse.com/admin/uploads/file/33438655092.pdfIn PDF document text
    • http://tunesistudio.eu/userfiles/files/vogoputas.pdfIn PDF document text
    • http://leoclubmarsala.it/userfiles/files/polakawojepofomenubaw.pdfIn PDF document text
    • https://www.paparazzirestaurant.com.au/wp-content/plugins/super-forms/uploads/php/files/7d9cdaa2251241a76ed129bf79cf4c78/87770440091.pdfIn PDF document text
    • https://www.reliancecareuk.com/wp-content/plugins/super-forms/uploads/php/files/dcf37c4a39eb2aa23d83aa0943122b95/fijug.pdfIn PDF document text
    • http://termosystem.pl/userfiles/file/suxupipunomipadenunerotu.pdfIn PDF document text
    • http://asijskepotraviny.cz/files/file/9965371849.pdfIn PDF document text
    • https://tckontrola.hr/files/wufefaxobovaxinevug.pdfIn PDF document text
    • http://www.fotografoeventimilano.com/wp-content/plugins/formcraft/file-upload/server/content/files/161164e6a056df---69866539177.pdfIn PDF document text
    • https://tyeetomsfishing.com/userfiles/file/88628867662.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/cv9VXjIrmdE/uplcv?utm_term=mpls+configuration+on+cisco+ios+pdfPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000120d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x120D7 10756 bytes
SHA-256: abc92b9b6d5234acc7002d2f72a16e78c93b5387b7c45e295bf0d91e8e9c246c
font_01_sfnt_off00013987.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13987 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1