Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ef737f53646a14a…

MALICIOUS

PDF

95.3 KB Created: 2021-06-13 23:02:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-16
MD5: b40b6f117ba121e16ae86cf1567b0c3e SHA-1: 96831dd2ad0285bf331bda4fd9a3ff45cce08ddb SHA-256: 6ef737f53646a14af342862291cefeff92da8fb26b984a9564f97e1328fb13cb
164 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was detected as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The document contains numerous external links, many pointing to compromised WordPress sites, suggesting it functions as a link farm or a lure for downloading further payloads. The presence of a 'download button' heuristic further supports the idea that the document is designed to trick users into initiating a download. While no scripts were explicitly extracted, the nature of the links and the overall detection suggest a phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=bigo+live+hack+2020+ios PDF link annotation
    • http://vizit-k.net/uploads/editor/files/3108057669.pdfIn PDF document text
    • https://estigotours.com/wp-content/plugins/super-forms/uploads/php/files/349ac75588aef45a8e29f332bfc5578f/tubumaxuzeku.pdfIn PDF document text
    • https://parisautotravel.com/wp-content/plugins/super-forms/uploads/php/files/h3l64c1cv3sk8lk537p39h0vj7/fatipomixurex.pdfIn PDF document text
    • https://inclinedigital.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607dffb975502---mumobirejatofajozot.pdfIn PDF document text
    • https://completecollegestrategies.com/wp-content/plugins/super-forms/uploads/php/files/edc0af3230507dd18a3e31e022629127/merukudasebifin.pdfIn PDF document text
    • https://webmodeli.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a45cd5d8eec---nivolid.pdfIn PDF document text
    • https://lion-trading.co.uk/wp-content/plugins/super-forms/uploads/php/files/pv6tjl7dm0jb9eo675jsmd4re1/68134969240.pdfIn PDF document text
    • http://jnnycc.org/userfiles/file/xozozilikatukemujibodil.pdfIn PDF document text
    • https://ladychief.com/wp-content/plugins/super-forms/uploads/php/files/0526a84cd85df5a27335009df37817fd/60302065748.pdfIn PDF document text
    • https://drivingschoolofnorthtexas.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a5cd1cb3bfc---leziwelodekupesej.pdfIn PDF document text
    • http://www.fsnn.se/wp-content/plugins/formcraft/file-upload/server/content/files/160aba41da4a5e---90451094349.pdfIn PDF document text
    • http://www.marsagri.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a708ccc8a2d---25523633626.pdfIn PDF document text
    • https://dedywiredja.com/wp-content/plugins/formcraft/file-upload/server/content/files/160776daf284b1---vadazetovojulira.pdfIn PDF document text
    • https://www.zulilighting.com/wp-content/plugins/super-forms/uploads/php/files/3f99215512907cb8a34622c50ce965b1/5615962117.pdfIn PDF document text
    • http://macap.nl/app/webroot/files/userfiles/files/89574093331.pdfIn PDF document text
    • http://www.finanzanlagen-honorarberatung.de/wp-content/plugins/formcraft/file-upload/server/content/files/160a571e117f6d---40828137260.pdfIn PDF document text
    • https://careersourceokaloosawalton.com/files/public/11586127004.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00010c87.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C87 5016 bytes
SHA-256: 9242c7e0d0b171da3d7a7596832e38d45b1efe62bf9c04cc72cbcb7ce8d65d21
font_01_sfnt_off00011d9c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11D9C 13584 bytes
SHA-256: 66b4b5b2c16756900ab9dca5c5867f2e69e12aa6d289cd5293668ff10c472770
font_02_sfnt_off00014aa1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14AA1 16144 bytes
SHA-256: f6e0f4a25f18a144688c6b7f40519a5efc98c72643b9054f89526e396d9b459d
font_03_sfnt_off00015fa2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15FA2 4324 bytes
SHA-256: 1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361

Open this report in the interactive analyzer, or submit your own file for analysis.