Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fce158c85058c1c…

MALICIOUS

PDF

85.4 KB Created: 2021-09-12 16:08:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-12
MD5: 93c46f1f8e19198f539b00d8dfaa05c8 SHA-1: dddacdaed3a52fcdb1ce695967940a8f76b57b9c SHA-256: 6fce158c85058c1c4425042f4f01e96ef4ba6d33de927961dcc081c38ec56f5a
204 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF that contains numerous links to potentially compromised websites, many of which host other PDF files. The presence of the 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely instructs the user to open a password-protected archive, a common method for delivering malware. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9912

Heuristics 8

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bamfieldrental.com/userfiles/file/82530311575.pdf In PDF document text
    • https://kitapkaplama.com/upload/ckfinder/files/gesosafawuwusuteradisop.pdfIn PDF document text
    • https://kawanmto.net/contents/files/29380224910.pdfIn PDF document text
    • http://kibbkw.com/uploads/file/32461770117.pdfIn PDF document text
    • http://cuspsurgeons.com/userfiles/file/pirakefamax.pdfIn PDF document text
    • http://shinies.ru/img/lib/file/biruwuzusukakogujinemidik.pdfIn PDF document text
    • https://cffcommunications.nl/wp-content/plugins/formcraft/file-upload/server/content/files/1/1612ec3ba7ef4f---wisewiruraxuke.pdfIn PDF document text
    • http://www.driftime.ee/wp-content/plugins/formcraft/file-upload/server/content/files/1613d882fe8149---27203863810.pdfIn PDF document text
    • https://sevenhillsgroup.net/ckfinder/userfiles/files/27044201142.pdfIn PDF document text
    • http://xn--80aaaaadfwa5aftjhxrkcrg8iwc.xn--p1ai/pict/file/25003922422.pdfIn PDF document text
    • http://virtualcharityevents.com/vce_cake/files/files/lonijubexixafiwaz.pdfIn PDF document text
    • http://udelimpa.es/ckfinder/userfiles/files/26526228320.pdfIn PDF document text
    • http://itnetworkconsultingsf.com/helpdesk/app/webroot/img/userfiles/files/46263570729.pdfIn PDF document text
    • http://ngocvietbungalow.com/upload/files/gepavikadudekosuwi.pdfIn PDF document text
    • http://learnersdigest.org/userfiles/file/22077488578.pdfIn PDF document text
    • http://www.siposferenc.hu/html/bobobide.pdfIn PDF document text
    • https://miamivanservice.net/wp-content/plugins/formcraft/file-upload/server/content/files/16132ab7e461c8---36258184490.pdfIn PDF document text
    • http://ophtalmic-overnight.fr/wp-content/plugins/formcraft/file-upload/server/content/files/16130819d78dd2---91497589828.pdfIn PDF document text
    • http://superbarter.sk/media/file/bumutewegezudizixipelibox.pdfIn PDF document text
    • https://nstoplana.rs/ckfinder/userfiles/files/43297224014.pdfIn PDF document text
    • http://pc580.cn/upload_fck/file/2021-9-12/20210912023919426520.pdfIn PDF document text
    • http://laiyi-art.com/userfiles/file/23393092746.pdfIn PDF document text
    • http://bowlingkillers.com/imgdb/files/bimezamujijuwokopataponaz.pdfIn PDF document text
    • https://www.weldcor.ca/public/ckfinder/userfiles/files/15828664651.pdfIn PDF document text
    • http://arisutour.com/ckupload/files/ropuzamofiruravasobaforiv.pdfIn PDF document text
    • http://thuexe7cho.vn/upload/files/7715495205.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/A3Ryygt5BCM/uplcv?utm_term=real+gta+5+ppsspp+downloadPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ea13.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEA13 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0001022a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1022A 10640 bytes
SHA-256: 30103f06a57db22c048ba0f36d91ba138b9be1546c76fc4d27cb5509781d1215
font_02_sfnt_off00011a94.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A94 17432 bytes
SHA-256: d76eb2bd7a5eebf39babc284a81961093c480dfb8fd1ef0361c301049cc6e8b0