Malicious PDF — malware analysis report

Static analysis result for SHA-256 74074aa72e4baaf3…

MALICIOUS

PDF

95.9 KB Created: 2021-07-27 10:15:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-10-23
MD5: a8ea7d306d0622157f252872a0b31060 SHA-1: 0627e6f3395db159a6fe9e2e5e77235780a49903 SHA-256: 74074aa72e4baaf330591fb2630defa3230da3299dac423c7ef5c2246c8eb442
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous links to compromised WordPress sites, with one specific URL identified as a potential malware distribution point. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware delivery. No scripts were extracted, but the structure suggests a lure to download a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9916

Heuristics 7

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://doublehappyvstheinfinitesadness.com/wp-content/plugins/formcraft/file-upload/server/content/files/160986bf15d080---zesiwuv.pdf In PDF document text
    • https://nicemexico.net/wp-content/plugins/formcraft/file-upload/server/content/files/16091d19356ef9---31786755538.pdfIn PDF document text
    • https://familienarbeit3plus.ch/userfiles/files/fodabijapokukapifunozomas.pdfIn PDF document text
    • https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/1608743e91b415---28121010837.pdfIn PDF document text
    • https://big-cash.de/wp-content/plugins/super-forms/uploads/php/files/d3f36nrc2bdl5anrf4cmn045pd/9919907194.pdfIn PDF document text
    • https://www.avantagesapp.com/uploads/files/zikelefirepusulowumixotu.pdfIn PDF document text
    • https://iamluno.com/wp-content/plugins/formcraft/file-upload/server/content/files/160adf219d4227---tafol.pdfIn PDF document text
    • https://too.kg/wp-content/plugins/super-forms/uploads/php/files/81c3e340d9efa656e28acb48bc64813d/konasawu.pdfIn PDF document text
    • https://mission4recruitment.com/wp-content/plugins/formcraft/file-upload/server/content/files/160bd5e32617b2---bavutuxovugivezeledunexi.pdfIn PDF document text
    • http://brucemsmithlaw.com/clients/e/e2/e252bfde01ef004f685a9648d307a4b9/File/22679787994.pdfIn PDF document text
    • http://vodnik48.ru/content/file/jijogaxanu.pdfIn PDF document text
    • https://apinero.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607abe766c6a0---9929783796.pdfIn PDF document text
    • http://www.fliesen-brill.de/wp-content/plugins/formcraft/file-upload/server/content/files/160c2f7996b649---27467988410.pdfIn PDF document text
    • https://www.aironface.com/wp-content/plugins/super-forms/uploads/php/files/7df223f78f5c483182d0b847bfc5bedf/takalibokivakokererikok.pdfIn PDF document text
    • http://ibtaker.ps/userfiles/file/tuxofuvepuzonunuwaza.pdfIn PDF document text
    • https://vietrocknet.org/app/webroot/img/files/dulagurelulowod.pdfIn PDF document text
    • https://cytairtool.com/test/userfiles/file/20210722_65499.pdfIn PDF document text
    • https://tecsal.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/160b0da3ece6fe---64539538210.pdfIn PDF document text
    • http://veraschwemmle.de/fckdata/file/32195644145.pdfIn PDF document text
    • http://ahs1978hounds.com/clients/0/09/09313dc2b2b2138818c22350edca9cf7/File/rimenuwo.pdfIn PDF document text
    • http://china-zub.ru/userfiles/file/guzizefikiwis.pdfIn PDF document text
    • https://ahi.com.ua/wp-content/plugins/super-forms/uploads/php/files/a3e29b1eb58e50d5ee4092661f9e7b96/69325530319.pdfIn PDF document text
    • https://www.northernillumination.com/wp-content/plugins/super-forms/uploads/php/files/7da2b2da75e09d3e19cd9b85668b2df4/17973972483.pdfIn PDF document text
    • https://www.lowdoc-loans.com.au/wp-content/plugins/formcraft/file-upload/server/content/files/160c8be7ce728f---dutunipavamijapusezeto.pdfIn PDF document text
    • http://sarahscupcakery.com/wp-content/plugins/formcraft/file-upload/server/content/files/160d98652bfbe6---525884859.pdfIn PDF document text
    • https://feedproxy.google.com/~r/Uplcv/~3/FevRqgeaUVY/uplcv?utm_term=how+to+watch+free+netflix+on+iosPDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa7c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFA7C 10612 bytes
SHA-256: e4accf420eacfbfc5bcf2ce4b16e52f40f8013a48a13a74edd780d02c7cae2d6
font_01_sfnt_off000112b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x112B4 17392 bytes
SHA-256: df2ed3733f995ea9ffb11785faa0adcb0a2f7f7a612475bd6eec58da43b2d424
font_02_sfnt_off00013fcf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13FCF 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_03_sfnt_off000157e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x157E0 16428 bytes
SHA-256: 23191a20989a09959b2cbcbcedb805b598ca26499a9d836ac043174a76a4ddba

Open this report in the interactive analyzer, or submit your own file for analysis.