Malicious PDF — malware analysis report

Static analysis result for SHA-256 71436ef34f1ab284…

MALICIOUS

PDF

296.0 KB Created: 2021-06-28 22:14:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3)
MD5: 0d19a77e0dc3d5412079c44729dcbe2f SHA-1: 0a54755c2c0a2182c32e5d819991304b832202d1 SHA-256: 71436ef34f1ab2849ed34fbd195656604eede01106995fe0133e7a9c6f7bce64
126 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains numerous links pointing to compromised websites, as indicated by the 'PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM' heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or distributing further malware. The embedded URLs are the primary indicators of compromise, directing users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8530

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://delannahotel.com/user_img/file/87770699169.pdf
    • http://beckydavidsonhomes.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a35aed443b7---34337771491.pdf
    • http://xn----8sbnbd9chja.xn--p1ai/userfiles/file/jukosu.pdf
    • http://xn----8sbpvg0afdbe.xn--p1ai/wp-content/plugins/super-forms/uploads/php/files/g2stj79cs2krh6cpnv6gvejqv2/45461400960.pdf
    • http://southportrubbish.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd470b68254---26815392179.pdf
    • https://cls-toronto.com/wp-content/plugins/super-forms/uploads/php/files/8baf7012ae32dbf75782de2a0107c89d/defoxipusawaweluzotor.pdf
    • http://www.vitrierbxl.be/wp-content/plugins/formcraft/file-upload/server/content/files/1606c98c9009ba---11005560520.pdf
    • https://miamiuniquelimo.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a77001d4594---luroliposaputuwasesi.pdf
    • http://uyaviation.com/wp-content/plugins/formcraft/file-upload/server/content/files/160a45d453a8ec---sonop.pdf
    • http://www.nuricomuvakfi.org/wp-content/plugins/super-forms/uploads/php/files/66sr2g0kq9p4rbbdm7jcv1ve82/ranujijuxokoj.pdf
    • http://otoozevran.com/resimler/files/situbedamizibebupubela.pdf
    • http://animalscipublisher.com/files/upfiles/file/11662006730.pdf
    • https://polinagerz.ru/wp-content/plugins/super-forms/uploads/php/files/dcgi2a87lg6uu3gg5vsitvgqb3/27706314404.pdf
    • https://mimpishiosatu.com/contents//files/63488171357.pdf
    • http://bascobrunswick.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608369d8b389e---rexotisojeroxe.pdf
    • https://capitaleny.com/wp-content/plugins/super-forms/uploads/php/files/fa0dd165089f74556ad1360d68680f62/21147821128.pdf
    • http://adanateknikservis.web.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1607887b7e0278---valumosawi.pdf
    • http://geology.ie/wp-content/plugins/formcraft/file-upload/server/content/files/1609469bc9786c---wideduwabesomirot.pdf
    • http://www.putnamtaxi.net/wp-content/plugins/formcraft/file-upload/server/content/files/16070d8fca62c0---gadowekupifubir.pdf
    • https://amrapalispot.com/userfiles/file/54562080202.pdf
    • https://www.enviedecrire.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607f1d8a49090---nunubupufijovopajefubape.pdf
    • http://furkansigorta.com.tr/wp-content/plugins/formcraft/file-upload/server/content/files/1606cca868d548---wodasetez.pdf
    • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/cbec8398ba4e874410c84b08fd9938a1/lipad.pdf
    • http://www.platformliften.info/wp-content/plugins/formcraft/file-upload/server/content/files/1607f8dc2edb31---jikabiwokosawapug.pdf
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/BvfzZFkJO3s/uplcv?utm_term=canadian+criminal+justice+a+primer+6th+edition+pdf+free
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0004021d.bin
b5d8fb8356239b0da3dd43ad8e54ca839a0016726ba035576f5b8d707afefb81		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4021D 16096 bytes
font_01_sfnt_off00041757.bin
ac283588e6198c4855b7b24746410a89c1c5e27c404ed16423badf1e106a5a26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41757 3032 bytes
font_02_sfnt_off00042409.bin
66af41ab0b649e6628387c0f450d12f0846dc20e387476032a95f4e38651c183		 pdf-font-stream PDF embedded font (sfnt) at offset 0x42409 23280 bytes
font_03_sfnt_off00045e13.bin
9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45E13 16792 bytes
font_04_sfnt_off0004762a.bin
11856873a29ea8a7ad1e6af923ad7c3c11ab182427f49b40c550cf230db39817		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4762A 11312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.