Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fdc38ae13f1ff5e…

MALICIOUS

PDF

63.6 KB Created: 2021-09-08 01:29:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-11-02
MD5: b204f8dd6bcadb14e5191c86c257a1bd SHA-1: f94bb865059cc5802e3ccf95c8fb3baee93679bb SHA-256: 6fdc38ae13f1ff5ed27597c751f4578a78b1cc797c122a1a8fb4788355f8c9d3
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is a common technique for executing malicious code. The sample also hosts numerous external links, many pointing to compromised WordPress sites or disposable hosting, suggesting a phishing or malware distribution scheme. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6934

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://norrlandet.se/userfiles/file/94953294345.pdf In PDF document text
    • http://cpviettin.com/upload/files/8662162537.pdfIn PDF document text
    • http://pattersonandoliphantfamily.com/clients/875492/File/jegedaginakinuru.pdfIn PDF document text
    • https://livredart.com/ckfinder/userfiles/files/rijalatonowejinivepufufup.pdfIn PDF document text
    • http://vejwun.cz/images/8902388501.pdfIn PDF document text
    • https://bem-sa.com/img/file/ribosoguje.pdfIn PDF document text
    • http://salonlomi.pl/wp-content/plugins/formcraft/file-upload/server/content/files/16087b7d638325---nesuvajowuvolezaxaz.pdfIn PDF document text
    • http://www.danvillern.com/wp-content/plugins/super-forms/uploads/php/files/8e39a0c8281368aef1b4c302cba26d96/64488004639.pdfIn PDF document text
    • http://www.1000ena.com/wp-content/plugins/formcraft/file-upload/server/content/files/1609863cf99da0---4439537569.pdfIn PDF document text
    • http://osullivanspressurewashing.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c61e2f7e34d---9148538971.pdfIn PDF document text
    • https://regenerativetherapyforpain.com/wp-content/plugins/super-forms/uploads/php/files/47955ec968c2889ef08311fd6d3df35f/70197395764.pdfIn PDF document text
    • http://nguyenquangcomputer.com/upload/ck/files/tisuxewabafokemexew.pdfIn PDF document text
    • https://amblamy.ee/upload/file/japusewek.pdfIn PDF document text
    • http://vizesblokk.hu/files/file/jozomidifukob.pdfIn PDF document text
    • https://brusroom.com/wp-content/plugins/super-forms/uploads/php/files/244a17e96d453bada8cfe9f00bc5f663/20546542709.pdfIn PDF document text
    • http://burningspearmarketplace.com/js/ckfinder/userfiles/files/zetafasake.pdfIn PDF document text
    • http://apluskleaning.com/admin/images/file/6347397331.pdfIn PDF document text
    • http://bluecars.pl/userfiles/file/94729340898.pdfIn PDF document text
    • http://avandcie-automation.com/ckfinder/userfiles/files/8618142093.pdfIn PDF document text
    • https://mzr-avocats.com/buddha/ckfinder/userfiles/files/dinalebilezutavop.pdfIn PDF document text
    • http://gamjagolla.com/uploads/files/pafida.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/3vuEKuznOb8/uplcv?utm_term=delta+gap+formula+pdfPDF link annotation
    • http://lovewhereyoulv.wpengine.com/wp-content/plugins/super-forms/uploads/php/files/ce885f818736f9beea5fc87bc6aa9093/xufisumumukifapovumowu.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b9ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB9BA 16524 bytes
SHA-256: 4494b6f7f806429c2968ef47744696b08f9be745e80e7636c27d43f09246f445
font_01_sfnt_off0000e3f7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE3F7 10576 bytes
SHA-256: 4517b7af1203726cf87eadedca6626050289de9e7ce8abc7a5fe3239e0688d41