Malicious PDF — malware analysis report

Static analysis result for SHA-256 726cfc3956794c11…

MALICIOUS

PDF

89.9 KB Created: 2021-06-29 08:22:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-08-20
MD5: ae689ca7740e1cc9bab07151530233a3 SHA-1: ead5fd12059e1c2898963056890427f617174c3b SHA-256: 726cfc3956794c11243591261a3c297fa8de3f05fcfc0b5b0a749a9047037699
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged by multiple heuristics as malicious, including a ML classifier and ClamAV, indicating it is likely a phishing or malware distribution lure. The document contains numerous links to external websites, many hosted on compromised WordPress sites, suggesting it functions as a link farm to redirect users to malicious content. The presence of multiple distinct hosts and the use of UTM parameters further support this attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9937

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://laborke.ru/uplcv?utm_term=mama+dee+real+housewives+of+dallas PDF link annotation
    • https://alate.org/admin/fckeditor/editorfile/bagaxumejizixale.pdfIn PDF document text
    • https://klingende-zeder.de/wp-content/plugins/formcraft/file-upload/server/content/files/160ba535f8d9a4---mawekizerogexofadek.pdfIn PDF document text
    • http://www.farparts.cl/wp-content/plugins/formcraft/file-upload/server/content/files/1608f9628a3fbb---lijilolusatunenudibogebir.pdfIn PDF document text
    • https://alenakovalchuk.ru/wp-content/plugins/super-forms/uploads/php/files/0c88d37720775d0ed625589e22c24556/derepegizudep.pdfIn PDF document text
    • https://amezdigital.com/wp-content/plugins/super-forms/uploads/php/files/015d4736fb0191a64b76de0502737140/mapexixotawojatukulolilat.pdfIn PDF document text
    • http://nesthomes.in/userfiles/file/85405498602.pdfIn PDF document text
    • http://lushexperiences.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607312d41091e---tuluvoxavitima.pdfIn PDF document text
    • https://profbuhotchet.ru/wp-content/plugins/super-forms/uploads/php/files/bc01f9cb85c6e6a3d16380dffc29467c/24233684416.pdfIn PDF document text
    • http://www.viksexteriors.com/wp-content/plugins/formcraft/file-upload/server/content/files/160c976106d830---lozolajadujekijo.pdfIn PDF document text
    • http://wooshin.kr/uploaded/file/1976375659609dada9dfc19.pdfIn PDF document text
    • http://topcudental.com/img/userfiles/files/musamodazigugekig.pdfIn PDF document text
    • https://avgdesign.com/userfiles/file/zipasivitinipulimavaj.pdfIn PDF document text
    • http://www.ausafrica.co.za/wp-content/plugins/formcraft/file-upload/server/content/files/160c7b7f350b46---lejetafekununumof.pdfIn PDF document text
    • https://maidintown.co.uk/wp-content/plugins/super-forms/uploads/php/files/7045837246eac598df0d4f4ac75a6c14/37363427131.pdfIn PDF document text
    • https://sirikulsteel.com/wp-content/plugins/formcraft/file-upload/server/content/files/1608a4f6138386---85449052290.pdfIn PDF document text
    • https://123kozijnofferte.nl/wp-content/plugins/super-forms/uploads/php/files/er0lj62a6g9be8cojd6mpm9tj3/wiwibizekavo.pdfIn PDF document text
    • https://www.ezhealthcheck.com/wp-content/plugins/super-forms/uploads/php/files/vl3b0pe5h4ufs5kn3cocpn9uli/1515034459.pdfIn PDF document text
    • https://estigotours.com/wp-content/plugins/super-forms/uploads/php/files/15c1b84e8d8859c8c289dac59cb5dc2f/jixulewojaliwujevujevoziw.pdfIn PDF document text
    • http://ackerviewguesthouse.com/userfiles/file/10701654046.pdfIn PDF document text
    • http://www.blackhillsdancecentre.com/wp-content/plugins/formcraft/file-upload/server/content/files/160729b479dda8---tatisivoku.pdfIn PDF document text
    • http://csptech.net/admin/userfiles/file/fizuferopefosen.pdfIn PDF document text
    • https://alianzatours.com/imagenes/file/pawaxaxisiza.pdfIn PDF document text
    • https://adsbudget.net/userfiles/file/18744176572.pdfIn PDF document text
    • http://e1pl2.nazwa.pl/busy/fotki/file/parobub.pdfIn PDF document text
    • https://sharpspringwww.kinsta.cloud/wp-content/plugins/super-forms/uploads/php/files/f394945f2420e7aab065c2bbc044fd14/gilofagikilufobeve.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fabd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFABD 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off000112cf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x112CF 17916 bytes
SHA-256: 8b50976ed0e7f69491898a5422d086687218e114d677693b9e60412762ccdf99
font_02_sfnt_off000141d4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x141D4 10660 bytes
SHA-256: 04bd321baa9711e5c405216f26dedd5cd9efa4cb8b00616987bc575bf5fb49e9